[apparmor] [profile] Update profile: /etc/cron.daily/logrotate.
Seth Arnold
seth.arnold at canonical.com
Sat Jun 2 02:09:39 UTC 2018
On Wed, May 23, 2018 at 04:00:36PM +0000, daniel curtis wrote:
> Next thing I would like to ask and clarify is an 'Ux' access mode for
> two files:
> '/{usr/,}sbin/initctl' and '/{usr/,}sbin/runlevel' (for a reason for
> I would like to ask if 'Ux' could be changed, for example, with 'PUx'
> mode? Would not it be a better solution? And what about 'rPUx' (if I
Hello Daniel,
PUx would indeed be more secure if you were to go to the effort to confine
these two programs.
However, the system's proper functioning relies upon these two programs to
do their task, and you run a very high risk of making your computer
non-functional if you screw up these profiles.
These profiles would need to include a great deal of privilege. While you
could reduce the privileges they have, I'm not sure it is a meaninful
reduction.
So, yes, you *can* confine these programs. But please be sure to have a
recovery plan in place in case you find you cannot reboot your computer.
I think you would be better served to spend your time confining programs
that have open network sockets but do not yet have profiles.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180601/68b5ae43/attachment.sig>
More information about the AppArmor
mailing list