How to Resolve "Permission Denied" Error for syslog-ng Due to AppArmor Restrictions
search cancel

How to Resolve "Permission Denied" Error for syslog-ng Due to AppArmor Restrictions

book

Article ID: 397516

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

When running syslog-ng service on the photon os, the following error is observed in the service logs:

May 14 10:32:51 workernode audit[XXXXXX]: AVC apparmor="DENIED" operation="open" profile="syslog-ng" name="/var/log/" pid=XXXXXX comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Additionally, AppArmor audit logs show entries like:

audit[PID]: AVC apparmor="DENIED" operation="open" profile="syslog-ng" name="/var/log/" pid=XXXXX comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This indicates that AppArmor is preventing syslog-ng from accessing the /var/log directory.

Environment

TCA 2.x and 3.x

Cause

The AppArmor profile for syslog-ng does not include permission to access the /var/log/ directory and its contents.
By default, restrictive AppArmor rules can block applications from accessing certain directories unless explicitly allowed.

Resolution

To allow syslog-ng to access /var/log/ and its contents, perform the following steps.

Create file /etc/apparmor.d/local/sbin.syslog-ng with content:

/var/log r,
owner /var/log/ r,
/var/log/** r,
owner /var/log/** r,

Restart apparmor and syslog-ng:

systemctl restart apparmor
systemctl restart syslog-ng
Powered by Wolken Software