[apparmor] [profile] /etc/cron.daily/logrotate: updated version.
Christian Boltz
apparmor at cboltz.de
Sat Dec 31 13:59:00 UTC 2016
Hello,
Am Samstag, 31. Dezember 2016, 12:47:46 CET schrieb daniel curtis:
> I've one more question, regarding to your updates to the logrotate
> profile. During my testing, it turned out that logrotate wants access
> to /bin/dash - command interpreter. So, with help from Seth, I've
> used 'mrix' access.
>
> But in your updated version (see 1.) I don't see that rule;
>
> /bin/dash mrix,
>
> I would like to ask if it was just an oversight or a deliberate action
> from your side?
Good catch, that was indeed an oversight.
While on it, we should probably also allow sh, so
/{usr/,}bin/{ba,da,}sh mixr,
> I noticed, that you also deleted /tmp directory,
> right?
>
> - /tmp w,
Right. This is useless without trailing /
> And leave; '/tmp/file* wl, /tmp/logrot* wlr,' files. Do you think,
> that use an 'owner' with these two rules is more secure? You have
> mentioned about this, but patch does not contain an 'owner' option :-
> ) What is the best solution in this case?
owner indeed makes sense. Added now.
> One more thing; I understand that '@{PROC} and @{PROC}/@{pid}' also
> are not needed? Because of - as you have had written: "no trailing /,
> so these rules are likely unused", right?
Exactly.
Since nobody reviewed the patch yet, here's the updated version (with the
things mentioned above changed):
The full profile is attached.
=== modified file 'profiles/apparmor/profiles/extras/etc.cron.daily.logrotate'
--- profiles/apparmor/profiles/extras/etc.cron.daily.logrotate 2016-12-03 09:59:01 +0000
+++ profiles/apparmor/profiles/extras/etc.cron.daily.logrotate 2016-12-31 13:56:01 +0000
@@ -2,6 +2,8 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2016 Seth Arnold
+# Copyright (C) 2016 Daniel Curtis
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -16,38 +18,58 @@
#include <abstractions/bash>
#include <abstractions/nameservice>
- /{usr/,}bin/bash mixr,
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability fsetid,
+
+ /{usr/,}bin/{ba,da,}sh mixr,
/{usr/,}bin/cat mixr,
/{usr/,}bin/gzip mixr,
/{usr/,}bin/kill mixr,
/{usr/,}bin/logger mixr,
+ /{usr/,}bin/mv mixr,
+ /{usr/,}bin/sed mixr,
+ /{usr/,}bin/sleep mrix,
/{usr/,}bin/true mixr,
/etc/init.d/* mixr,
+ /usr/bin/head mrix,
/usr/bin/killall mixr,
+ /usr/sbin/invoke-rc.d mrix,
/usr/sbin/logrotate mixr,
- /var/log r,
- /var/log/** wrl,
+ ## see https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
+ /{usr/,}sbin/initctl Ux,
+ /{usr/,}sbin/runlevel Ux,
+
+ /var/log/ r,
+ /var/log/** rwl,
/var/lib/privoxy/log/** rwl,
/var/lib64/privoxy/log/** rwl,
/ r,
- /dev/tty wr,
+ /dev/tty rw,
/etc/cron.daily/logrotate r,
/etc/logrotate.conf r,
- /etc/logrotate.d r,
+ /etc/logrotate.d/ r,
/etc/logrotate.d/* r,
- /etc/subdomain.d r,
- @{PROC} r,
- @{PROC}/@{pid} r,
- /tmp w,
- /tmp/file* wl,
- /tmp/logrot* wlr,
- /var/lib/logrotate.status wr,
+ /etc/lsb-base-logging.sh r,
+
+# @{PROC} r,
+# @{PROC}/@{pid} r,
+ owner /tmp/file* wl,
+ owner /tmp/logrot* rwl,
+
+ /var/lib/logrotate/ r,
+ /var/lib/logrotate/* rw,
+
/{run,var}/lock/samba r,
/{,var/}run/httpd.pid r,
/{,var/}run/syslogd.pid r,
- /var/spool/slrnpull wr,
+ /{,var/}run/rsyslogd.pid r,
+
+ /var/spool/slrnpull/ wr,
/var/spool/slrnpull/log* wrl,
}
Regards,
Christian Boltz
--
> P.S.: Ich habe soeben mutt über Bord geworfen und bin reumütig zu
> evolution zurückgekehrt.
*Waaahhhhh* Ein Abtruenniger!!! Was is los???
[> Ratti und David Haller in suse-linux]
-------------- next part --------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2016 Seth Arnold
# Copyright (C) 2016 Daniel Curtis
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
/etc/cron.daily/logrotate {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
/{usr/,}bin/{ba,da,}sh mixr,
/{usr/,}bin/cat mixr,
/{usr/,}bin/gzip mixr,
/{usr/,}bin/kill mixr,
/{usr/,}bin/logger mixr,
/{usr/,}bin/mv mixr,
/{usr/,}bin/sed mixr,
/{usr/,}bin/sleep mrix,
/{usr/,}bin/true mixr,
/etc/init.d/* mixr,
/usr/bin/head mrix,
/usr/bin/killall mixr,
/usr/sbin/invoke-rc.d mrix,
/usr/sbin/logrotate mixr,
## see https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
/{usr/,}sbin/initctl Ux,
/{usr/,}sbin/runlevel Ux,
/var/log/ r,
/var/log/** rwl,
/var/lib/privoxy/log/** rwl,
/var/lib64/privoxy/log/** rwl,
/ r,
/dev/tty rw,
/etc/cron.daily/logrotate r,
/etc/logrotate.conf r,
/etc/logrotate.d/ r,
/etc/logrotate.d/* r,
/etc/lsb-base-logging.sh r,
# @{PROC} r,
# @{PROC}/@{pid} r,
owner /tmp/file* wl,
owner /tmp/logrot* rwl,
/var/lib/logrotate/ r,
/var/lib/logrotate/* rw,
/{run,var}/lock/samba r,
/{,var/}run/httpd.pid r,
/{,var/}run/syslogd.pid r,
/{,var/}run/rsyslogd.pid r,
/var/spool/slrnpull/ wr,
/var/spool/slrnpull/log* wrl,
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161231/1cff3e8e/attachment.pgp>
More information about the AppArmor
mailing list