[apparmor] [patch] several additions for the syslog-ng profiles
Christian Boltz
apparmor at cboltz.de
Wed Oct 7 10:38:51 UTC 2015
Hello,
the latest syslog-ng version needs some more permissions:
- abstractions/openssl (for reading openssl.conf)
- reading /etc/syslog-ng/conf/
- reading the journal
- reading /etc/machine-id (it's unclear why this is needed, therefore
I don't want abstractions/dbus-session-strict for now)
- write access to /run/syslog-ng.ctl
References: https://bugzilla.opensuse.org/show_bug.cgi?id=948584
https://bugzilla.opensuse.org/show_bug.cgi?id=948753
I propose this patch for trunk and 2.9.
[ profiles-syslog-ng-bnc948584.diff ]
=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
--- profiles/apparmor.d/sbin.syslog-ng 2015-03-07 20:16:11 +0000
+++ profiles/apparmor.d/sbin.syslog-ng 2015-10-07 10:33:01 +0000
@@ -20,6 +20,7 @@
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/mysql>
+ #include <abstractions/openssl>
capability chown,
capability dac_override,
@@ -37,7 +38,10 @@
/dev/syslog w,
/dev/tty10 rw,
/dev/xconsole rw,
+ /etc/machine-id r,
/etc/syslog-ng/* r,
+ /etc/syslog-ng/conf.d/ r,
+ /etc/syslog-ng/conf.d/* r,
@{PROC}/kmsg r,
/etc/hosts.deny r,
/etc/hosts.allow r,
@@ -50,6 +54,10 @@
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
@{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+ /var/log/journal/ r,
+ /var/log/journal/*/ r,
+ /var/log/journal/*/*.journal r,
+ /{var/,}run/syslog-ng.ctl a,
/{var/,}run/syslog-ng/additional-log-sockets.conf r,
# Site-specific additions and overrides. See local/README for details.
Regards,
Christian Boltz
--
> Und wo legst Du das Backup ab, wenn die einzige Partition
> read-only gemountet ist? *SCNR*
Am besten auf /dev/null - das geht am schnellsten :-)
[> Christian Boltz und Rainer Kaluscha in suse-linux]
More information about the AppArmor
mailing list