[apparmor] [PATCH] 04/04 policy syslog unix socket policy updates

Seth Arnold seth.arnold at canonical.com
Wed Sep 3 19:15:12 UTC 2014 

On Wed, Aug 27, 2014 at 04:53:03PM -0500, Jamie Strandboge wrote:
> On 08/27/2014 04:34 PM, Jamie Strandboge wrote:
> 
> > Starting a subthread for some additions to John's patches. This series assumes
> > John's 12 patches are applied and includes updates to the apparmor.d man page
> > and some policy updates. I expect I might have to adjust this a bit, but wanted
> > to send it up for comment. Let's have an ACK mean to apply it once it is safe to
> > do so.
> > 
> When testing rsyslog confinement, I noticed it needed this added to its policy:
>   unix (receive) type=dgram,
>   unix (receive) type=stream,
> 
> I don't have syslogd and syslog-ng systems to test this on, but it seemed to
> make sense to add the above for sbin.syslogd and sbin.syslog-ng. If someone can
> confirm or even confirm that type=stream should *not* be used with either/both
> of these, I can adjust the policy as needed.
> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/


Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> Author: Jamie Strandboge <jamie at canonical.com>
> Description: add unix rules for syslog
> 
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslogd
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/sbin.syslogd
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslogd
> @@ -23,6 +23,9 @@
>    capability setgid,
>    capability syslog,
>  
> +  unix (receive) type=dgram,
> +  unix (receive) type=stream,
> +
>    /dev/log                      wl,
>    /var/lib/*/dev/log            wl,
>  
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslog-ng
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/sbin.syslog-ng
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslog-ng
> @@ -30,6 +30,9 @@
>    capability sys_resource,
>    capability syslog,
>  
> +  unix (receive) type=dgram,
> +  unix (receive) type=stream,
> +
>    /dev/log w,
>    /dev/syslog w,
>    /dev/tty10 rw,




> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140903/3b5faa81/attachment-0001.pgp>

More information about the AppArmor mailing list