Selecting grsecurity's "Proc restrictions" might possibly break few things. One of these things is rsyslog kernel logging capability. Upon booting this message would show up in my kern.log:
kernel: imklog: Cannot read proc file system, 1.
One way to solve this problem is to assign rsyslog to a special group (defined during the kernel configuration phase) which members are able to view all processes, network-related information, and kernel and symbol information.
I do not like to give rsyslog root privileges (albeit read-only) over the proc file system, so I started digging the net and I have found this article outlining an elegant solution to a bug which essentially causes the same problem I am having: rsyslog cannot access /proc/kmsg.
For my future reference I will replicate the solution given. In summary, we are going to pipe messages from /proc/kmsg (which we do not have permission to see) to a directory fully owned by rsyslog. The magic is done by the configuration file shown below.
Create a file named rsyslog-kmsg.conf in /etc/init/ and copy the text below.
I do not like to give rsyslog root privileges (albeit read-only) over the proc file system, so I started digging the net and I have found this article outlining an elegant solution to a bug which essentially causes the same problem I am having: rsyslog cannot access /proc/kmsg.
For my future reference I will replicate the solution given. In summary, we are going to pipe messages from /proc/kmsg (which we do not have permission to see) to a directory fully owned by rsyslog. The magic is done by the configuration file shown below.
Create a file named rsyslog-kmsg.conf in /etc/init/ and copy the text below.
-----8<-----
# rsyslog-kmsg - feed /proc/kmsg into rsyslog
#
# This service is used to feed output from /proc/kmsg into rsyslog so
# it does not need to be privileged.
description "feed /proc/kmsg into rsyslog"
start on starting rsyslog
stop on stopped rsyslog
respawn
pre-start script
mkdir -p /var/run/rsyslog
chown syslog:syslog /var/run/rsyslog
[ -e /var/run/rsyslog/kmsg ] || mkfifo -m 600 /var/run/rsyslog/kmsg
chown syslog:syslog /var/run/rsyslog/kmsg
end script
exec dd bs=1 if=/proc/kmsg of=/var/run/rsyslog/kmsg
post-stop script
rm /var/run/rsyslog/kmsg
end script
----->8-----
Call rsyslog-kmsg using the upstart-job mechanism:
# ln -s /lib/init/upstart-job /etc/init.d/rsyslog-kmsg
Change in /etc/rsyslog.conf the value of $KLogPath from /proc/kmsg (borked) to /var/run/rsyslog/kmsg (that we defined in the config file.)
# vi /etc/rsyslog.conf
$KLogPath /var/run/rsyslog/kmsg #changed from /proc/kmsg
Then restart rsyslog:
# restart rsyslog
Everything should work now. Check by tailing kern.log and verifying that something has been written there.
# tail /var/log/kern.log
---
Hi Dako,
ReplyDeleteThank you for re-posting this solution (I couldn't access the original). It worked a treat for me on Ubuntu 11.10.
Trevdog.