[apparmor] [profile] logrotate: new rules needed.
Seth Arnold
seth.arnold at canonical.com
Wed Apr 10 23:05:11 UTC 2019
On Wed, Apr 10, 2019 at 06:31:59PM +0000, daniel curtis wrote:
> Two years ago, Mr Seth Arnold, Mr Christian Boltz and I, started to work on
> Logrotate profile updates, because profile, which was then available did
> not have many necessary rules etc. However, We managed to achieve a
> satisfactory result (see 1.)
Hello Daniel,
> # apparmor="DENIED" operation="open"
> # profile="/etc/cron.daily/logrotate"
> # name="/proc/sys/kernel/osrelease" comm="systemctl"
> # requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I think a mistake was made here, and it influenced nearly everything
beyond this point. systemctl should not be an 'ix' rule. It requires way
more privileges for it to do its work than logrotate needs to do its work.
Cx, maybe. Ux, maybe. But ix is setting yourself up for adding so many
privileges to logrotate that the profile isn't actually confining
logrotate much. It's just a maintenance hassle.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190410/e635d7cc/attachment.sig>
More information about the AppArmor
mailing list