[apparmor] AppArmor - dac_override questions
jszigetvari at gmail.com
Sun Oct 25 16:14:18 UTC 2015
2015-10-25 0:37 GMT+02:00 Christian Boltz <apparmor at cboltz.de>:
> If I understand your mail right, you are running syslog-ng as a non-root
> user (correct?). Therefore it isn't allowed to read the root-only
> /proc/kmsg, with or without an AppArmor profile.
Yes, you are right. What you wrote is covering the use case I described.
> AppArmor never *adds* permissions, it only restricts them.
> This also means that a "capability dac_override," rule is only relevant
> and helpful for processes running as root . Processes running as non-
> root will hit the usual Linux DAC restrictions (+ possibly additional
> restrictions by the AppArmor profile).
Thanks for pointing this out. I thought I could (also) add additional
capabilities/rights to user processes as well via their respective AppArmor
> To confirm this, chmod go+r /proc/kmsg and try again. If it works
> afterwards, my guess was right - if not, I was wrong ;-)
Well, actually changing group ownership and readability solves the problem,
but then another one arises:
How could one permanently change the ownership/access rights of a file on a
pseudo filesystem? (This holds true for both the /proc/kmsg and the
The most sane solution I came across for /proc/kmsg would be to change the
syslog-ng init script to check and change the ownership and access rights
For /dev/xconsole, perhaps a custom udev rule would give the best results.
Anyway, this problem is out of scope for this mailing list.
Also, what you told me leads me to believe that using any capability
specifications in non-root process' profiles, would make very little sense.
Of course the possibility of additional file, and network access
restricitions, that one can impose on non-root processes with AppArmor, do
validate its usefulness for user processes as well.
All-in-all, thanks for your help!
RHCE, License no. 150-053-692
__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AppArmor