[apparmor] [Contd.] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.
seth.arnold at canonical.com
Mon Dec 12 20:12:33 UTC 2016
On Sun, Dec 11, 2016 at 07:08:45PM +0100, daniel curtis wrote:
> Today, I've noticed that two files from /var/log/ directory: kern.log and
> syslog were empty - nothing logged (0 bytes) and another two: kern.log.1
> and syslog.1 - with logged messages. Strange. I decided to check, for
> example, kern.log.1 file and see whats happened. Here's what I've found:
> According to above messages I would like to ask about rules, which are
> needed in the logrotate profile. In my opinion, they could/should looks
> capability fsetid,
> /sbin/initctl mrix,
> /sbin/runlevel mrix,
> /etc/lsb-base-logging.sh r,
This is strange; I'm surprised these weren't discovered earlier.
I think you could use Ux rules for these commands. I don't know why
logrotate needs them, but depending upon what they do with init, you could
drag in a huge amount of privileges to this profile that logically belong
to upstart instead.
So I'd add:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: not available
More information about the AppArmor