[apparmor] [patch] sbin.syslog-ng profile fixes

John Johansen john.johansen at canonical.com
Thu Sep 15 19:19:37 UTC 2011


On 09/15/2011 12:16 PM, Christian Boltz wrote:
> Hello,
> 
> based on feedback for the openSUSE package in Factory by the syslog-ng
> maintainer, Peter Czanik:
> 
> sbin.syslog-ng profile:
> - fix permissions for additional-log-sockets.conf (the comma in {var/,} 
>   was at the wrong place, which broke the /var/run/ case)
> - add read permissions for /sys/devices/system/cpu/online
>   (that was even new for Peter, but I trust him not to post faked 
>   audit.log lines ;-)
> 
> 
> === modified file 'profiles/apparmor.d/sbin.syslog-ng'
> --- profiles/apparmor.d/sbin.syslog-ng  2011-08-18 22:27:03 +0000
> +++ profiles/apparmor.d/sbin.syslog-ng  2011-09-15 19:08:32 +0000
> @@ -38,6 +38,7 @@
>    /etc/hosts.deny r,
>    /etc/hosts.allow r,
>    /sbin/syslog-ng mr,
> +  /sys/devices/system/cpu/online r,
>    /usr/share/syslog-ng/** r,
>    # chrooted applications
>    @{CHROOT_BASE}/var/lib/*/dev/log w,
> @@ -45,7 +46,7 @@
>    @{CHROOT_BASE}/var/log/** w,
>    @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
>    @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
> -  /{var,/}run/syslog-ng/additional-log-sockets.conf r,
> +  /{var/,}run/syslog-ng/additional-log-sockets.conf r,
>  
>    # Site-specific additions and overrides. See local/README for details.
>    #include <local/sbin.syslog-ng>
> 
> 
Acked-by: John Johansen <john.johansen at canonical.com>



More information about the AppArmor mailing list