[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.
daniel curtis
sidetripping at gmail.com
Mon Nov 21 12:06:03 UTC 2016
Hi
I would like to ask a question about capability that should be used
according to this yesterday log message:
Nov 20 12:46:39 t4 kernel: [ 1603.727849] type=1400
audit(1479642399.936:90): apparmor="DENIED" operation="capable" parent=3192
profile="/etc/cron.daily/logrotate" pid=3197 comm="logrotate" capability=0
capname="chown"
It should be: 'capability chown,'. Am I right? If yes then logrotate
profile need, at least, three capabilities:
capability dac_override,
capability dac_read_search,
capability chown,
And, if rules mentioned earlier are OK to use, then we also need to add:
/usr/bin/head mrix,
/usr/sbin/invoke-rc.d mrix,
/bin/sleep mrix,
## According to: requested_mask="r" denied_mask="r"
/var/lib/logrotate/ r,
/var/lib/logrotate/* rw,
## And this one: name="/var/lib/logrotate/status"
## requested_mask="wc" denied_mask="wc"
/var/lib/logrotate/status ??,
What is your opinion about this? Maybe the lack of 'capability chown' is
responsible for changing /var/log/kern.log and syslog files permissions
etc.? I hope, at least, that's all the things, and the logrotate profile
can be updated.
Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161121/f1a66baf/attachment.html>
More information about the AppArmor
mailing list