[apparmor] [Contd.] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

daniel curtis sidetripping at gmail.com
Sun Dec 11 18:08:45 UTC 2016


Hi

Today, I've noticed that two files from /var/log/ directory: kern.log and
syslog were empty - nothing logged (0 bytes) and another two: kern.log.1
and syslog.1 - with logged messages. Strange. I decided to check, for
example, kern.log.1 file and see whats happened. Here's what I've found:

Dec 11 12:18:23 t4 kernel: [ 1791.337390] type=1400
audit(1481455103.558:46): apparmor="DENIED" operation="exec" parent=3052
profile="/etc/cron.daily/logrotate" name="/sbin/runlevel" pid=3053
comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Dec 11 12:18:23 t4 kernel: [ 1791.383597] type=1400
audit(1481455103.602:47): apparmor="DENIED" operation="open" parent=3051
profile="/etc/cron.daily/logrotate" name="/etc/lsb-base-logging.sh"
pid=3055 comm="arpon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Dec 11 12:18:33 t4 kernel: [ 1801.478499] type=1400
audit(1481455113.702:48): apparmor="DENIED" operation="capable" parent=3044
profile="/etc/cron.daily/logrotate" pid=3049 comm="logrotate" capability=4
capname="fsetid"

Dec 11 12:18:33 t4 kernel: [ 1801.498465] type=1400
audit(1481455113.722:49): apparmor="DENIED" operation="exec" parent=3059
profile="/etc/cron.daily/logrotate" name="/sbin/initctl" pid=3060 comm="sh"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Dec 11 12:18:33 t4 kernel: [ 1801.499146] type=1400
audit(1481455113.722:50): apparmor="DENIED" operation="capable" parent=3044
profile="/etc/cron.daily/logrotate" pid=3049 comm="logrotate" capability=4
capname="fsetid"

Dec 11 12:18:33 t4 kernel: [ 1801.500504] type=1400
audit(1481455113.722:51): apparmor="DENIED" operation="exec" parent=3061
profile="/etc/cron.daily/logrotate" name="/sbin/initctl" pid=3062 comm="sh"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0

According to above messages I would like to ask about rules, which are
needed in the logrotate profile. In my opinion, they could/should looks
like:

capability fsetid,

/sbin/initctl mrix,
/sbin/runlevel mrix,

/etc/lsb-base-logging.sh r,

Can someone check if they are OK and secure? I had no idea, that profile
for a logrotate would need so many rules and changes.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161211/fb922650/attachment.html>


More information about the AppArmor mailing list