[apparmor] [Contd.] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

Seth Arnold seth.arnold at canonical.com
Mon Dec 12 20:12:33 UTC 2016

On Sun, Dec 11, 2016 at 07:08:45PM +0100, daniel curtis wrote:
> Today, I've noticed that two files from /var/log/ directory: kern.log and
> syslog were empty - nothing logged (0 bytes) and another two: kern.log.1
> and syslog.1 - with logged messages. Strange. I decided to check, for
> example, kern.log.1 file and see whats happened. Here's what I've found:
> [...]
> According to above messages I would like to ask about rules, which are
> needed in the logrotate profile. In my opinion, they could/should looks
> like:
> capability fsetid,
> /sbin/initctl mrix,
> /sbin/runlevel mrix,
> /etc/lsb-base-logging.sh r,

This is strange; I'm surprised these weren't discovered earlier.

I think you could use Ux rules for these commands. I don't know why
logrotate needs them, but depending upon what they do with init, you could
drag in a huge amount of privileges to this profile that logically belong
to upstart instead.

So I'd add:

/sbin/initctl Ux,
/sbin/runlevel Ux,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161212/6dee0d2f/attachment.pgp>

More information about the AppArmor mailing list