[apparmor] [patch] syslog-ng - capability dac_read_search
John Johansen
john.johansen at canonical.com
Sat Jan 7 00:12:49 UTC 2012
On 01/06/2012 04:09 PM, Steve Beattie wrote:
> On Fri, Jan 06, 2012 at 01:30:07AM +0100, Christian Boltz wrote:
>> Peter didn't mention details on the mailinglist. It _seems_ to be caused
>> by a new syslog-ng version. Some searching brought up
>> https://bugzilla.novell.com/show_bug.cgi?id=731876 (search for
>> "capability" there).
>>
>> Some quotes from the bugreport:
>> -----------------------------------------------------------------------
>> Error managing capability set, cap_set_proc returned an error; caps='=
>> cap_syslog+ep
>> cap_chown,cap_dac_override,cap_fowner,cap_net_bind_service+p
>> cap_dac_read_search+e', error='Operation not permitted (1)'
>> -----------------------------------------------------------------------
>> There was also a capability related message: it's coming from AppArmor.
>> It's ugly, but still works fine. I try to investigate this, but
>> audit.log does not show anything...
>> -----------------------------------------------------------------------
>
> Ah, this is an interesting interaction between cap_set_proc(3) and
> apparmor's capabilities, where syslog-ng is trying to set its effective
> set of capabilities to include those outside of what is permitted in
> the profile. It might be useful if apparmor logged attempts to do this.
>
hrmmm, well there was a bug wrt this and it was patched so newer kernels
should log unknown caps in complain mode.
> Anyway, I think the original patch to add cap_dac_search to the
> syslog-ng profile is okay, so an ack from me. It would be kind of nice
> to know why syslog-ng needs to access files and directories that it
> doesn't have DAC permissions for.
>
>
>
>
More information about the AppArmor
mailing list