Trying out Apparmor… It’s enabled and running, but has very few profiles (because Arch doesn’t come with a package of profiles unlike most distros). However I can’t generate my own, it claims it can’t find syslog.
Now, I think I have managed to research enough that by default “syslog” is not used in Arch, it logs events to messages.log instead.
…But how do I get apparmor to understand that?
Already looked there. I even tried to install syslog-ng, but all it did was to create a syslog.log that said (simplfied) “syslog-ng has started” and didn’t add anything else for an hour. All the events for apps were still logged in messages.log.
Hence confusion.
According to https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Failures :
so event logs going to /var/log/messages is probably expected?
So, what specifically is asking for syslog?
Apparmor, specifically aa-genprof says it cannot start because:
ERROR: Can't find system log "/var/log/syslog". Please check permissions.
So I need to either set apparmor to expect logs in messages.log, or change settings for the auditing I guess?
It might not be Apparmor as such, it might just be the aa-genprof tool.
Ah.
under aa-genprof -h I get a -f option for logfile path.
Checking /etc/apparmor/logprof.conf it refers to three logs, the middle one being syslog. It seems it expects all three to be there and can’t just skip it.
Edit: Nope, that’s not it. But it seems to a problem with naming. It couldn’t find “messages” either until I actuall typed in the full filename, aka “messages.log”
Create it?
sudo touch /var/log/syslog
Well the problem is not if it’s THERE, the “problem” is that it’s not used.
Anyway, I tried generating a profile for vivaldi-snapshot with the -f /var/logs/messages.log option and it worked however it did not turn out the way I expected.
Unlike what the wiki says aa-genprof did not put a profile in apparmor.d, it put a symlink there to /opt/vivaldi-snapshot.
So still confused for other reasons.
Okay… Got it to work, but for complex programs like a browser it seems almost impossible to generate a profile, I had to give up after about 50 questions, since apparmor popped up a new question about permissions every 0.5 seconds. And unfortunately there seems to be not a single premade profile anywhere for it.
Posting this as the solution to the original problem:
Use the -f option and type out the whole path for messages.log like this:
sudo aa-genprof -f /var/logs/mesages.log appname