[apparmor] base abstraction for writing to systemd dev-log doesn't work
Mark Wadham
ubuntu at rkw.io
Mon Jul 25 13:26:11 UTC 2016
Hi,
I've been trying to configure apparmor for dovecot, but I keep getting
messages like this:
[130842.572874] audit: type=1400 audit(1469436340.177:2400):
apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/dovecot"
name="run/systemd/journal/dev-log" pid=23971 comm="dovecot"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
The dovecot profiles all include the base abstractions
(/etc/apparmor.d/abstractions/base) which includes this:
/{,var/}run/systemd/journal/dev-log w,
and it seems even if I add this explicitly to the dovecot profiles they
still can't write to the dev-log. Is this a bug or am I doing something
wrong?
Also while I'm here, if you have a wrapper script around an application
in order to ensure it restarts if it dies, is there a way to configure
apparmor so that /bin/bash is allowed for the wrapper script but not for
the process it's wrapping?
Thanks!
Mark
More information about the AppArmor
mailing list