[apparmor] [Contd.] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

Seth Arnold seth.arnold at canonical.com
Wed Dec 14 19:30:25 UTC 2016

On Wed, Dec 14, 2016 at 07:03:52PM +0100, daniel curtis wrote:
> OK, I understand it. But 'capability fsetid' is needed, right? Even if
> you're not sure why it is needed.

Hi Daniel, I can't give perfect advice on this one. It may be needed only
on your machine for some reason local to your filesystem. It may be needed
everywhere. I just don't know.

Since I like to know everything I'd probably try to track this one down,
but I can't really suggest to you that that's the right course of action. :)
You might as well add this rule and use the time saved to walk the dog or
something more fun. ;)

I also don't know what tools would exist in 12.04 LTS that would make it
easier to investigate this issue. Maybe
echo 1 > /sys/module/apparmor/parameters/logsyscall
and see what the syscall caused this denial.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161214/f1f65858/attachment.pgp>

More information about the AppArmor mailing list