[apparmor] [PATCH profile 1/2] dnsmasq: Adjust pattern for log files to comply SELinux

Petr Vorel pvorel at suse.cz
Fri Dec 7 10:17:10 UTC 2018


Hi,

> i.e. move '*' from beginning to before suffix.

> Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
> pattern, which is not compatible with SELinux. As this pattern has been
> in SELinux since 2011 (with recent change to accept '.log' suffix +
> logrotate patterns which are not relevant to AppArmor) IMHO it's better
> to adjust our profile.

> Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")

> Signed-off-by: Petr Vorel <pvorel at suse.cz>
> ---
>  profiles/apparmor.d/usr.sbin.dnsmasq | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

> diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
> index fba51259..f14a370a 100644
> --- a/profiles/apparmor.d/usr.sbin.dnsmasq
> +++ b/profiles/apparmor.d/usr.sbin.dnsmasq
> @@ -45,7 +45,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {

>    /usr/{bin,sbin}/dnsmasq mr,

> -  /var/log/*dnsmasq.log w,
> +  /var/log/dnsmasq*.log w,

>    /usr/share/dnsmasq/ r,
>    /usr/share/dnsmasq/* r,

Ping, please.


Kind regards,
Petr



More information about the AppArmor mailing list