[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

Christian Boltz apparmor at cboltz.de
Wed Nov 16 21:10:07 UTC 2016


Am Dienstag, 15. November 2016, 15:40:23 CET schrieb daniel curtis:
> Thank You once again for all your help. I really appreciate it. So if
> it's about a logrotate profile: each mentioned rule seems to be okay
> and I can use them. Additionally, I should add a capabilities
> (capability dac_override and capability dac_read_search) but not use
> 'owner' with @{PROC} etc.

Right. Everything you showed looks sane (except write permissions for 
/etc/logrotate.d/* - but Seth already mentioned this some days ago).

BTW: It looks like your profile is based on the logrotate profile shipped 
in the AppArmor "extra profiles" directory. Can you please send a patch 
against that profile (or just the updated profile) when everything works 
for you? The "extra profiles" are not really maintained, but since you 
updated the profile already, this is our chance to easily update it for 
everybody ;-)


Christian Boltz
you are spending too much time in web forums or with apache guys if you
are using "+1" and "-1" :-) [Stefan Seyfried in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161116/f6b5adf1/attachment.pgp>

More information about the AppArmor mailing list