[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

[daniel curtis]

Hi Seth,

>> I forgot to mention that "normal user" is a bit of a misnomer (...)

In my case it was the first user created during system install. (A member
of - among others - "adm" group etc.) And I could not open these files,
because of "permission denied" messages. Of course, as I mentioned earlier,
everything has worked via sudo(8). But this problem is already solved -
thanks to You.

I thought about umask(2), because a looong time ago I've changed its value
to 077 and I think, that logrotate - because of /var/log/ rule - created a
'new' kern.log nad syslog files with root permission etc. It seems to be
not important anymore.

So, if it's about both capability (capability dac_override and capability
dac_read_search) rules: I should add them to a logrotate profile, right?
And the rest of rules? You have written a comment about them, but nothing
about if I should change something etc. Besides @{PROC} and 'owner' :- )

>> Probably a bad idea to use 'owner' for these rules (...)

Let's summarize: if I decide to use a logrotate profile then I can/should
add rules mentioned in my previous message without any changes, right? (Not
to mention @{PROC}).

Seth, thank You once again for all the answers and help.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161111/07571723/attachment.html>