[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.
Seth Arnold
seth.arnold at canonical.com
Mon Nov 14 19:47:15 UTC 2016
Hi Daniel,
On Fri, Nov 11, 2016 at 11:43:23AM +0100, daniel curtis wrote:
> So, if it's about both capability (capability dac_override and capability
> dac_read_search) rules: I should add them to a logrotate profile, right?
> And the rest of rules? You have written a comment about them, but nothing
> about if I should change something etc. Besides @{PROC} and 'owner' :- )
>
> >> Probably a bad idea to use 'owner' for these rules (...)
>
> Let's summarize: if I decide to use a logrotate profile then I can/should
> add rules mentioned in my previous message without any changes, right? (Not
> to mention @{PROC}).
>
> Seth, thank You once again for all the answers and help.
Sorry I wasn't more clear before -- all those rules made sense to add to
your log rotate profile, with the exception of write access to
/etc/logrotate.d/* files -- it shouldn't need to modify those files to do
its job.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161114/e0008af7/attachment.pgp>
More information about the AppArmor
mailing list