[apparmor] [patch] syslog-ng - capability dac_read_search
Steve Beattie
steve at nxnw.org
Sat Jan 7 00:09:50 UTC 2012
On Fri, Jan 06, 2012 at 01:30:07AM +0100, Christian Boltz wrote:
> Peter didn't mention details on the mailinglist. It _seems_ to be caused
> by a new syslog-ng version. Some searching brought up
> https://bugzilla.novell.com/show_bug.cgi?id=731876 (search for
> "capability" there).
>
> Some quotes from the bugreport:
> -----------------------------------------------------------------------
> Error managing capability set, cap_set_proc returned an error; caps='=
> cap_syslog+ep
> cap_chown,cap_dac_override,cap_fowner,cap_net_bind_service+p
> cap_dac_read_search+e', error='Operation not permitted (1)'
> -----------------------------------------------------------------------
> There was also a capability related message: it's coming from AppArmor.
> It's ugly, but still works fine. I try to investigate this, but
> audit.log does not show anything...
> -----------------------------------------------------------------------
Ah, this is an interesting interaction between cap_set_proc(3) and
apparmor's capabilities, where syslog-ng is trying to set its effective
set of capabilities to include those outside of what is permitted in
the profile. It might be useful if apparmor logged attempts to do this.
Anyway, I think the original patch to add cap_dac_search to the
syslog-ng profile is okay, so an ack from me. It would be kind of nice
to know why syslog-ng needs to access files and directories that it
doesn't have DAC permissions for.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120106/45cc22ed/attachment.pgp>
More information about the AppArmor
mailing list