[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.
Seth Arnold
seth.arnold at canonical.com
Wed Nov 9 19:44:18 UTC 2016
On Wed, Nov 09, 2016 at 12:21:39PM +0100, daniel curtis wrote:
> Thanks for an answer. So these are rules, which I should add to the
> /etc/cron.daily/logrotate profile, right?
>
> /var/lib/logrotate/ r,
> /var/lib/logrotate/status.clean w, ## NOTE: in my system there is no such
> file - there is only 'status'
This may be a short-lived file, or it may exist once the profile allows it
to exist.
> /bin/sed mixr,
> /bin/mv mixr,
>
> /var/lib/logrotate/* r,
> /var/lib/logrotate/ rw,
>
> /etc/logrotate.d/ r,
> /etc/logrotate.d/* rw,
>
> It looks okay for you now? Can I use these rules?
Probably the cronjob shouldn't have write access to /etc/logrotate.d/* --
that's for the admin to configure the system, or packages to provide
configuration.
I'd change that to only 'r' access.
Otherwise they look good.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161109/2cdfccec/attachment.pgp>
More information about the AppArmor
mailing list