[apparmor] [profile] /etc/cron.daily/logrotate: updated version.

daniel curtis sidetripping at gmail.com
Tue Dec 20 11:52:57 UTC 2016 

Hi

It seems, that logrotate profile works. Everything is OK - no error or
DENIED messages in log files etc. I'm testing this profile since four, five
days.

So, I just decided to paste the whole profile here, since I've added only a
few rules. It should be easier to read and eventually change the logrotate
profile in the future. Also, Mr Christian Boltz wrote, that in this case
it's OK (see:
https://lists.ubuntu.com/archives/apparmor/2016-November/010238.html).

I think, that it's important to mention: I've changed the order of rules.
For example: @{PROC} rules are now at the very end of a profile,
capabilities are near the beginning after <abstractions/*> and so on. It
just looks better and is easier to read, modify etc. That's just my opinion
and it can be changed.

I've decided to leave directories that are not in my system, but were in
the default profile. They are marked with the '#' sign and described with a
proper information about existence reason etc. If, for example there is an
user using 'privoxy' - a privacy enhancing HTTP Proxy, he can just remove
'#' sign and use one of these rules (of course depending on his
architecture etc.):

/var/lib/privoxy/log/** rwl,
/var/lib64/privoxy/log/** rwl,

One more thing about my comments: they are only for an informational
purposes and should/could be removed. So, I hope that everything is okay
even without using diff(1).

Okay, so here's an updated 'etc.cron.daily.logrotate' profile (based on
this one:
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/wily/apparmor/wily/view/head:/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate):



# Last Modified: Mon Dec  19 10:29:57 2016
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2006 Novell/SUSE
#    Copyright (C) 2016 Seth Arnold
#    Copyright (C) 2016 Daniel Curtis
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

/etc/cron.daily/logrotate {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>

  capability dac_override,
  capability dac_read_search,
  capability chown,
  capability fowner,
  capability fsetid,

  / r,
  /bin/sleep mrix,
  /bin/sed mixr,
  /bin/mv mixr,
  /bin/dash mrix,

  /bin/bash mrix,
  /bin/cat mrix,
  /bin/gzip mrix,
  /bin/kill mrix,
  /bin/logger mrix,
  /bin/true mrix,

  /usr/bin/head mrix,
  /usr/bin/killall mrix,

  /usr/sbin/invoke-rc.d mrix,
  /usr/sbin/logrotate mrix,

  ## NOTE: please see 1., 2.
  /sbin/initctl Ux,
  /sbin/runlevel Ux,

  /etc/cron.daily/logrotate r,
  /etc/logrotate.conf r,
  /etc/logrotate.d/ r,
  /etc/logrotate.d/* r,

  /etc/init.d/* mrix,
  /etc/lsb-base-logging.sh r,

  ## There is not such directory in 12.04 LTS.
  #/etc/subdomain.d/ r,

  /var/lib/logrotate/ r,
  /var/lib/logrotate/* rw,
  ## Handled by the previous rules.
  #/var/lib/logrotate.status rw,

  ## NOTE: it's a 32 bit system - so there is not lib64 directory.
  ## NOTE2: I'm not using privoxy.
  #/var/lib64/privoxy/log/** rwl,
  #/var/lib/privoxy/log/** rwl,
  ## NOTE3: Maybe it's better to use:
  #/var/lib{,64}/privoxy/log/** rwl,

  /var/log/ r,
  /var/log/** rwl,

  ## NOTE: there is not 'syslog.pid' but 'rsyslogd.pid' file
  #/{,var/}run/syslogd.pid r,
  /{,var/}run/rsyslogd.pid r,

  ## NOTE: I'm not using 'slrnpull', but maybe someone is.
  #/var/spool/slrnpull rw,
  #/var/spool/slrnpull/log* rwl,

  ## NOTE: I don't use samba and httpd, but maybe someone is.
  #/{run,var}/lock/samba r,
  #/{,var/}run/httpd.pid r,

  /tmp w,
  /tmp/file* wl,
  /tmp/logrot* rwl,

  /dev/tty rw,

  @{PROC} r,
  @{PROC}/[1-9]* r,

}


By the way: an official profile contains rule, which confused me: "/var/log
r,". Does not should be there: "/var/log/ r,"? As we can see: missing "/".
The same thing with: /etc/subdomain.d directory - I've added '/' to these
rules. What do you think?

The last and the most important thing: can someone check this profile; I
mean from a security point of view? It's secure enough to use? Especially,
I'm thinking about permissions for a /tmp directory ('rwl,' access) etc.


Best regards.
_____________
1., 2.: https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
https://lists.ubuntu.com/archives/apparmor/2016-December/010363.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161220/ca24d783/attachment.html>

More information about the AppArmor mailing list