[apparmor] [profile] /etc/cron.daily/logrotate: updated version.

daniel curtis sidetripping at gmail.com
Sat Dec 31 11:47:46 UTC 2016


Hi Christian

I've one more question, regarding to your updates to the logrotate profile.
During my testing, it turned out that logrotate wants access to /bin/dash -
command interpreter. So, with help from Seth, I've used 'mrix' access.

But in your updated version (see 1.) I don't see that rule;

/bin/dash mrix,

I would like to ask if it was just an oversight or a deliberate action from
your side? I noticed, that you also deleted /tmp directory, right?

- /tmp w,

And leave; '/tmp/file* wl, /tmp/logrot* wlr,' files. Do you think, that use
an 'owner' with these two rules is more secure? You have mentioned about
this, but patch does not contain an 'owner' option :- ) What is the best
solution in this case?

One more thing; I understand that '@{PROC} and @{PROC}/@{pid}' also are not
needed? Because of - as you have had written: "no trailing /, so these
rules are likely unused", right? I just want to be 100 percent sure. That's
all.

Christian, thank you once again for reviewing this profile and committed
changes.

Best regards.
_____________
1. https://lists.ubuntu.com/archives/apparmor/2016-December/010388.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161231/0f58b1a3/attachment.html>


More information about the AppArmor mailing list