[apparmor] [profile] logrotate: new rules needed.
daniel curtis
sidetripping at gmail.com
Wed Apr 10 21:02:17 UTC 2019
Hello Mr Strandboge.
First of all, I would like to thank You for your answer. Based on your
suggestions, I will add an 'owner' prefix to the rules etc. However, I
don't know what to do with rules for '/run/systemd/private' and 'net_admin'
capability, because You've written, that: "these two are getting into an
area where you are giving logrotate device ownership, since systemctl is
very rich." So, leave or deny'ing?
Can You provide some more informations? Should these rules be there? (I
will try to make some test and check if above rules are really needed).
If it's about '/run/dbus/system_bus_socket' rule: you're probably right and
if - for example - Mr Christian Boltz will decide to update exisiting
Logrotate profile, He will - probably - use 'dbus-strict' abstraction.
(However, I rather dont want to use 'abstractions' when only one rule is
okay and the rest aren't needed, but that's only my opinion).
>> Does the ptrace show up if you have all the other rules? (...)
Sorry, Mr Strandboge, but I don't understand. Do You mean a log files and
e.g. "DENIED" entries? Let see: when I decided to block 'ptrace' rules and
added all rules mentioned in my first message, no - 'ptrace' does not show
as a - for example - "DENIED" logs etc. As I mentioned already; when
'rsyslog' package has been updated, log files rotation was broken, log
files were empty and so on.
>> The use of systemctl has me very concerned and begs the question of the
utility of the profile since the policy is at best advisory at that point.
True, 'systemctl' is... invasive? I don't know if it's a proper word, but
it shows as 'comm="systemctl"' in all AppArmor logs (I mean these mentioned
by me, after 'rsyslog' update etc.)
By the way: when Mr Christian Boltz updated Logrotate profile (see 1.),
there was two 'abstractions': 'bash' and 'nameservice'. I noticed, that in
my case it's 'base' and 'bash'. Strange. Which one 'abstractions' should be
used? (Please note, that 'base' abstractions contains 3. 'ptrace' rules).
So, which 'abstractions' should be used? Can You check this? Of course, if
you're using Logrotate profile.
I'm asking, I'm always trying to not use a "big" 'abstractions', that
contains a lot of rules (and that way, give much more access for apps etc.
I rather want to use a proper rule/s. Shortly: what is in logs entries,
became rule. Of course, there are situations, where allowing some access,
even when there is a "ALLOWED/DENIED" entry is not a good idea etc. But
that's is different story, completly different story. Apologize for off-top.
Okay, I'm a little tired so apologize for any mistakes or stupid, naive
questions.
Thanks, best regards.
_____________________
1. https://lists.ubuntu.com/archives/apparmor/2016-December/010388.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190410/496dec1d/attachment.html>
More information about the AppArmor
mailing list