[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

Thu Nov 10 20:19:21 UTC 2016

Hi Seth,

No, I haven't installed any program etc., that try to 'correct' system
security and so on (not to mention security updates etc.) Strange. But...
chown(1) command (which you provided) and system restart seems to help - I
can open these files as a normal user and permission via ls(1) command
seems to be okay:

$ ls -al /var/log/kern.log
-rw-r----- 1 syslog adm 78351 Nov 10 20:29 /var/log/kern.log
$ ls -al /var/log/syslog
-rw-r----- 1 syslog adm 0 Nov 10 20:33 /var/log/syslog

Thank You very much; for an answer and for checking a pristine 12.04
release settings. I forgot to mention an umask(2) setting: it's 077. So,
maybe umask(2) is responsible for this situation. But I've never seen
something like this before.

Anyway, for now I removed /etc/cron.daily/logrotate profile, because of
this situation and a couple of new DENIED messages. It seems, that
logrotate also "wants":

apparmor="DENIED" operation="capable" parent=2875
profile="/etc/cron.daily/logrotate" pid=2879 comm="logrotate" capability=1
capname="dac_override"

apparmor="DENIED" operation="capable" parent=2875
profile="/etc/cron.daily/logrotate" pid=2879 comm="logrotate" capability=2
capname="dac_read_search"

Should it be included in the profile? If yes: what is the best, secure
method? And what about this: can you also check those rules?

/var/log/** rwl,    ## 'l'?

/etc/init.d/* mrix,

/tmp/logrot* rwl,    ## what is this?
/tmp w,    ## it's okay?
/tmp/file* wl,    ## and this one?

/dev/tty rw,    ## I don't like the 'rw' access for /dev/tty

@{PROC} r,    ## maybe use 'owner'?
@{PROC}/[1-9]* r,

Geez, so much thing... Seth, I'm sorry. If all mentioned things above are
not needed at all, it seems that logrotate profile is bad.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161110/067647e4/attachment.html>