added original ubuntu definitions for testing 24.04 packages

rsyslog/noble/v8-stable-testing/00rsyslog.conf

@@ -0,0 +1,12 @@
+# Override systemd's default tmpfiles.d/var.conf to make /var/log writable by
+# the syslog group, so that rsyslog can run as user.
+# See tmpfiles.d(5) for details.
+
+# Type Path    Mode UID  GID  Age Argument
+z /var/log 0775 root syslog -
+z /var/log/auth.log 0640 syslog adm -
+z /var/log/mail.err 0640 syslog adm -
+z /var/log/mail.log 0640 syslog adm -
+z /var/log/kern.log 0640 syslog adm -
+z /var/log/syslog 0640 syslog adm -
+d /var/spool/rsyslog 0700 syslog adm -

rsyslog/noble/v8-stable-testing/50-default.conf

@@ -0,0 +1,48 @@
+#  Default rules for rsyslog.
+#
+#			For more information see rsyslog.conf(5) and /etc/rsyslog.conf
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+#daemon.*			-/var/log/daemon.log
+kern.*				-/var/log/kern.log
+#lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+#user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+#mail.info			-/var/log/mail.info
+#mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Some "catch-all" log files.
+#
+#*.=debug;\
+#	auth,authpriv.none;\
+#	news.none;mail.none	-/var/log/debug
+#*.=info;*.=notice;*.=warn;\
+#	auth,authpriv.none;\
+#	cron,daemon.none;\
+#	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8

rsyslog/noble/v8-stable-testing/NEWS

@@ -0,0 +1,77 @@
+rsyslog (8.2310.0-3) unstable; urgency=medium
+
+  The sandboxing features enabled in 8.2310.0-1, specifically
+  PrivateDevices=yes, broke the forwarding of messages to /dev/xconsole.
+  It is thus recommended to move the named pipe to /run/ and make
+  /dev/xconsole a symlink pointing at /run/xconsole.
+  The example files /usr/share/doc/rsyslog/examples/tmpfiles.d/xconsole.conf
+  and /usr/share/doc/rsyslog/examples/rsyslog.d/xconsole.conf haven been
+  updated to reflect this new setup.
+  If you have forwarding to xconsole enabled, please update your local
+  configuration in /etc/rsyslog.d and /etc/tmpfiles.d accordingly.
+
+ -- Michael Biebl <[email protected]>  Mon, 27 Nov 2023 08:01:34 +0100
+
+rsyslog (8.2310.0-1) unstable; urgency=medium
+
+  Enable various systemd sandboxing and security hardening features in
+  rsyslog.service.
+
+  The command "systemd-analyze security rsyslog.service" provides an overview
+  of the active security and sandboxing settings.
+
+  Should you run a custom setup which is broken by those changes, you can
+  disable individual settings by creating a drop-in config file for
+  rsyslog.service via "systemctl edit rsyslog.service".
+
+  See also "man capabilities" and "man systemd.exec".
+
+ -- Michael Biebl <[email protected]>  Tue, 10 Oct 2023 17:03:41 +0200
+
+rsyslog (8.2210.0-3ubuntu2) lunar; urgency=medium
+
+  The apparmor profile of rsyslog now defaults to be enforced on a fresh
+  install and upgrades from an earlier version. Upgrades from this version
+  forward won't change the enforcement status.
+
+  Packages that add an rsyslog configuration that might be blocked by the
+  apparmor profile, can add an apparmor configuration snippet in
+
+  /etc/apparmor.d/rsyslog.d/
+
+  This file should preferably be named like <pkg>.apparmor, but only standard
+  backup extensions are excluded. See
+  https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L68
+  for a list.
+
+  When the rsyslog service is started, its systemd unit file first executes
+  the /usr/lib/rsyslog/reload-apparmor-profile script via ExecStartPre. That
+  script will reload the rsyslogd apparmor profile including the configuration
+  snippets in /etc/apparmor.d/rsyslogd.d/, if any.
+
+  The confinement status is not changed.
+
+  After this, the unit proceeds to start rsyslog as usual.
+
+  For more information, check the README.apparmor file in the documentation
+  directory of this package.
+
+ -- Andreas Hasenack <[email protected]>  Sun, 05 Feb 2023 15:42:31 -0300
+
+rsyslog (5.8.1-1) unstable; urgency=low
+
+  The way rsyslog processes SIGHUP has changed. It no longer does a reload
+  of its configuration, but simply closes all open files, which is a much more
+  lightweight operation.
+  To apply a changed configuration, rsyslogd needs to be restarted now.
+  As a consequence, the reload action has been dropped from the init script.
+
+  A new action called "rotate" was added to the init script, which signals
+  rsyslogd to close all open files. This new action is used in the rsyslog
+  logrotate configuration file.
+
+  For more information, see:
+  http://www.rsyslog.com/doc/v4compatibility.html
+  http://www.rsyslog.com/doc/v5compatibility.html
+
+ -- Michael Biebl <[email protected]>  Mon, 30 May 2011 18:26:51 +0200

rsyslog/noble/v8-stable-testing/README.Debian

@@ -0,0 +1,48 @@
+rsyslog for Debian
+==================
+
+Configuration file(s)
+---------------------
+The default configuration file for rsyslog is /etc/rsyslog.conf.
+
+Its format is based on the standard syslog.conf format. As rsyslog
+has a lot more advanced features than sysklogd, it extends this format
+with special configuration directives which all start with the '$'
+prefix. See the rsyslogd(8) and rsyslog.conf(5) man pages for further
+information or install the rsyslog-doc package which provides much
+more detailed documentation.
+
+The Debian default configuration for rsyslog uses:
+
+ $IncludeConfig /etc/rsyslog.d/*.conf
+
+That means, all configuration files in /etc/rsyslog.d/ with a .conf file
+extension are read by rsyslog. This way the rsyslog configuration can be
+extended easily (either by package maintainers or local administrators).
+
+
+Log rotation
+------------
+Rsyslog uses the logrotate(8) utilitiy to rotate the standard Debian
+log files. The configuration file can be found at
+/etc/logrotate.d/rsyslog.
+
+The rotation cycle starts with .1, as this is the logrotate default.
+In contrast to sysklogd, which starts with .0.
+
+When upgrading from sysklogd, the postinst script will automatically
+rotate the existing standard Debian log files, if it is safe to do so
+(i.e. only if .0 is newer than .1).
+
+
+Logging to xconsole
+-------------------
+The default rsyslog configuration no longer forwards any log messages to
+/dev/xconsole. It is simple to re-enable support for xconsole though. For that,
+the rsyslog package ships example files in /usr/share/doc/rsyslog/examples.
+
+To create the /dev/xconsole pipe, copy examples/tmpfiles.d/xconsole.conf to
+/etc/tmpfiles.d/ and then run "systemd-tmpfiles --create xconsole.conf".
+
+And finally copy examples/rsyslog.d/xconsole.conf to /etc/rsyslog.d/ and
+restart the rsyslog service.

rsyslog/noble/v8-stable-testing/README.apparmor

@@ -0,0 +1,132 @@
+# rsyslog and AppArmor
+
+Starting with version 8.2210.0-3ubuntu2, on fresh installs and upgrades from
+earlier versions, rsyslog will be confined by default with AppArmor in enforce
+mode.
+
+The AppArmor profile for rsyslog has a static component, and a dynamic one. It
+all starts with the main profile in `/etc/apparmor.d/usr.sbin.rsyslogd`. That
+profile has an include directive for the dynamic component in
+`/etc/apparmor.d/rsyslog.d`:
+
+    # apparmor snippets for rsyslog from other packages
+    include if exists <rsyslog.d>
+
+All files placed in `/etc/apparmor.d/rsyslog.d` will be included, with the
+exception of standard backup files like files ending in `~`, or with a suffix
+generated by `dpkg` when there was a config file prompt. The full list of
+exclusions is not really documented, but can be inspected in the source code at
+https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65.
+A `README` file is also ignored.
+
+When `rsyslog` is started, it will reload the apparmor profile, including all
+the snippets that may exist in the `rsyslog.d` include directory. This is done
+via a `ExecStartPre` call in the systemd unit file:
+
+    [Service]
+    Type=notify
+    ExecStartPre=/usr/lib/rsyslog/reload-apparmor-profile
+    ExecStart=/usr/sbin/rsyslogd -n -iNONE
+    ...
+
+Packages (and users) can place apparmor profile config file snippets in
+`/etc/apparmor.d/rsyslog.d/`. It is suggested that the filename be in the form
+of `<pkg>.apparmor`.
+
+For example, the `rsyslog-pgsql` debian package installs this file
+`/etc/apparmor.d/rsyslog.d/rsyslog-pgsql.apparmor`:
+
+    # PostgreSQL local access
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+    /etc/gss/mech.d/ r,
+    /etc/gss/mech.d/* r,
+    /{,var/}run/postgresql/.s.PGSQL.*[0-9] rw,
+
+When `rsyslog` starts, the `reload-apparmor-profile` will run and
+reload the `rsyslogd` apparmor profile just before rsyslogd itself is
+started. Note that the enforcement status of the profile (enforce, complain) is
+not changed.
+
+
+# Troubleshooting
+
+When rsyslog gets something denied, particularly if it's in an output module,
+it will retry a few times and eventually give up. It usually won´t crash, so
+the only way to notice something is wrong is by inspecting the logs, or, well,
+by noticing something isn't working, like logging to a database.
+
+Here are the most useful troubleshooting tips.
+
+
+## Watch the logs
+
+Look for rsyslog errors in the logs, particularly `/var/log/syslog`, or via
+`journalctl -u rsyslog.service -f`. For example, when it can't connect to a
+local MySQL server, messages like these will appear:
+
+    Jan 31 17:27:15 sender rsyslogd[82257]: ommysql: db error (2002): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)  [v8.2210.0]
+    Jan 31 17:27:15 sender rsyslogd[82257]: action 'action-8-ommysql' suspended (module 'ommysql'), retry 0. There should be messages before this one giving the reason for suspe>
+
+
+## Inspect dmesg/apparmor
+
+If the rsyslog apparmor profile is interfering with rsyslog, there will be
+messages about it in the `dmesg` output (or in the audit log, if `auditd` is
+installed). For example, for the mysql case:
+
+    [Tue Feb  7 12:35:28 2023] audit: type=1400 audit(1675773329.453:84): apparmor="DENIED" operation="connect" class="file" profile="rsyslogd" name="/run/mysqld/mysqld.sock" pid=15495 comm=72733A6D61696E20513A526567 requested_mask="wr" denied_mask="wr" fsuid=101 ouid=107
+
+Since the rsyslog apparmor profile now may include multiple files from
+`/etc/apparmor.d/rsyslog.d`, it helps to visualize the whole profile as one
+file. The `apparmor_parser` command can be used for that with the `-p` option:
+
+    # apparmor_parser -p /etc/apparmor.d/usr.sbin.rsyslogd
+    ...
+    ##included <rsyslog.d/rsyslog-mysql.apparmor>
+    # MySQL local server access
+    ...
+
+This will show all included files, including abstractions.
+
+
+# Example
+
+Here is an example of what it would look like to adapt a package that ships a
+rsyslog configuration that needs the rsyslog apparmor profile to be adjusted.
+
+The `prometheus-postfix-exporter` adds an rsyslog config that has it write logs
+to `/var/lib/prometheus/postfix-exporter/mail.log`, which is not allowed by the
+base rsyslog apparmor profile.
+
+This is what the fix for this package would look like:
+
+```diff
+
+diff --git a/debian/dirs b/debian/dirs
+index 6d3533d..50d9ad8 100644
+--- a/debian/dirs
++++ b/debian/dirs
+@@ -1,3 +1,4 @@
+ etc/rsyslog.d
++etc/apparmor.d/rsyslog.d
+ var/lib/prometheus/postfix-exporter
+ var/log/prometheus
+diff --git a/debian/rsyslog-prometheus-postfix-exporter.apparmor b/debian/rsyslog-prometheus-postfix-exporter.apparmor
+new file mode 100644
+index 0000000..1b9f85f
+--- /dev/null
++++ b/debian/rsyslog-prometheus-postfix-exporter.apparmor
+@@ -0,0 +1 @@
++  /var/lib/prometheus/postfix-exporter/mail.log rw,
+diff --git a/debian/rules b/debian/rules
+index e8ce2f9..ffcf383 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -16,3 +16,5 @@ override_dh_auto_install:
+ 	dh_auto_install -- --no-source
+ 	install -m644 debian/rsyslog.conf \
+             debian/$(BINNAME)/etc/rsyslog.d/$(BINNAME).conf
++	install -m644 debian/rsyslog-prometheus-postfix-exporter.apparmor \
++			debian/$(BINNAME)/etc/apparmor.d/rsyslog.d
+```

rsyslog/noble/v8-stable-testing/README.apparmor.rsyslog.d

@@ -0,0 +1,16 @@
+# This directory is meant to be used by packages that need to augment the
+# existing rsyslogd profile with extra rules.  All files in here will be
+# included by the /etc/apparmor.d/usr.sbin.rsyslogd profile, subject to the
+# exclusion rules defined in
+#
+# https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65
+#
+# and
+#
+# https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L132
+#
+# Please check the README.apparmor file in the documentation directory of the
+# rsyslog package for more information.
+#
+# For the usual overrides and other additions by local administrators, please
+# use the /etc/apparmor.d/local/ mechanism.

rsyslog/noble/v8-stable-testing/apparmor/rsyslog-gnutls.apparmor

@@ -0,0 +1,3 @@
+# GnuTLS library rules
+
+  /etc/gnutls/config r,

rsyslog/noble/v8-stable-testing/apparmor/rsyslog-mysql.apparmor

@@ -0,0 +1,20 @@
+# MySQL local server access
+
+include <abstractions/openssl>
+
+/etc/mysql/my.cnf r,
+/etc/mysql/mysql.cnf r,
+/etc/mysql/my.cnf.fallback r,
+
+/etc/mysql/conf.d/ r,
+/etc/mysql/conf.d/mysql.cnf r,
+/etc/mysql/conf.d/mysqldump.cnf r,
+
+/etc/mysql/mysql.conf.d/ r,
+/etc/mysql/mysql.conf.d/mysql.cnf r,
+/etc/mysql/mysql.conf.d/mysqld.cnf r,
+
+/usr/share/mysql/charsets/Index.xml r,
+
+/{,var/}run/mysqld/mysqld.sock rw,
+

rsyslog/noble/v8-stable-testing/apparmor/rsyslog-openssl.apparmor

@@ -0,0 +1,3 @@
+# OpenSSL library rules
+
+  /etc/ssl/openssl.cnf r,

rsyslog/noble/v8-stable-testing/apparmor/rsyslog-pgsql.apparmor

@@ -0,0 +1,9 @@
+# PostgreSQL local access
+
+include <abstractions/openssl>
+include <abstractions/ssl_certs>
+
+/etc/gss/mech.d/ r,
+/etc/gss/mech.d/* r,
+/{,var/}run/postgresql/.s.PGSQL.*[0-9] rw,
+