[apparmor] [profile] /etc/cron.daily/logrotate: updated version.
Seth Arnold
seth.arnold at canonical.com
Mon Jan 9 23:37:27 UTC 2017
On Sat, Dec 31, 2016 at 02:59:00PM +0100, Christian Boltz wrote:
> Since nobody reviewed the patch yet, here's the updated version (with the
> things mentioned above changed):
>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked for whichever branches it makes sense for :)
Thanks
> --- profiles/apparmor/profiles/extras/etc.cron.daily.logrotate 2016-12-03 09:59:01 +0000
> +++ profiles/apparmor/profiles/extras/etc.cron.daily.logrotate 2016-12-31 13:56:01 +0000
> @@ -2,6 +2,8 @@
> # ------------------------------------------------------------------
> #
> # Copyright (C) 2002-2006 Novell/SUSE
> +# Copyright (C) 2016 Seth Arnold
> +# Copyright (C) 2016 Daniel Curtis
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -16,38 +18,58 @@
> #include <abstractions/bash>
> #include <abstractions/nameservice>
>
> - /{usr/,}bin/bash mixr,
> + capability chown,
> + capability dac_override,
> + capability dac_read_search,
> + capability fowner,
> + capability fsetid,
> +
> + /{usr/,}bin/{ba,da,}sh mixr,
> /{usr/,}bin/cat mixr,
> /{usr/,}bin/gzip mixr,
> /{usr/,}bin/kill mixr,
> /{usr/,}bin/logger mixr,
> + /{usr/,}bin/mv mixr,
> + /{usr/,}bin/sed mixr,
> + /{usr/,}bin/sleep mrix,
> /{usr/,}bin/true mixr,
> /etc/init.d/* mixr,
> + /usr/bin/head mrix,
> /usr/bin/killall mixr,
> + /usr/sbin/invoke-rc.d mrix,
> /usr/sbin/logrotate mixr,
>
> - /var/log r,
> - /var/log/** wrl,
> + ## see https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
> + /{usr/,}sbin/initctl Ux,
> + /{usr/,}sbin/runlevel Ux,
> +
> + /var/log/ r,
> + /var/log/** rwl,
>
> /var/lib/privoxy/log/** rwl,
> /var/lib64/privoxy/log/** rwl,
>
> / r,
> - /dev/tty wr,
> + /dev/tty rw,
> /etc/cron.daily/logrotate r,
> /etc/logrotate.conf r,
> - /etc/logrotate.d r,
> + /etc/logrotate.d/ r,
> /etc/logrotate.d/* r,
> - /etc/subdomain.d r,
> - @{PROC} r,
> - @{PROC}/@{pid} r,
> - /tmp w,
> - /tmp/file* wl,
> - /tmp/logrot* wlr,
> - /var/lib/logrotate.status wr,
> + /etc/lsb-base-logging.sh r,
> +
> +# @{PROC} r,
> +# @{PROC}/@{pid} r,
> + owner /tmp/file* wl,
> + owner /tmp/logrot* rwl,
> +
> + /var/lib/logrotate/ r,
> + /var/lib/logrotate/* rw,
> +
> /{run,var}/lock/samba r,
> /{,var/}run/httpd.pid r,
> /{,var/}run/syslogd.pid r,
> - /var/spool/slrnpull wr,
> + /{,var/}run/rsyslogd.pid r,
> +
> + /var/spool/slrnpull/ wr,
> /var/spool/slrnpull/log* wrl,
> }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170109/d382b113/attachment.pgp>
More information about the AppArmor
mailing list