[apparmor] [profile] logrotate: new rules needed.
Jamie Strandboge
jamie at canonical.com
Wed Apr 10 23:25:05 UTC 2019
On Wed, 10 Apr 2019, Seth Arnold wrote:
> On Wed, Apr 10, 2019 at 06:31:59PM +0000, daniel curtis wrote:
> > Two years ago, Mr Seth Arnold, Mr Christian Boltz and I, started to work on
> > Logrotate profile updates, because profile, which was then available did
> > not have many necessary rules etc. However, We managed to achieve a
> > satisfactory result (see 1.)
>
> Hello Daniel,
>
> > # apparmor="DENIED" operation="open"
> > # profile="/etc/cron.daily/logrotate"
> > # name="/proc/sys/kernel/osrelease" comm="systemctl"
> > # requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
> I think a mistake was made here, and it influenced nearly everything
> beyond this point. systemctl should not be an 'ix' rule. It requires way
> more privileges for it to do its work than logrotate needs to do its work.
>
> Cx, maybe. Ux, maybe. But ix is setting yourself up for adding so many
> privileges to logrotate that the profile isn't actually confining
> logrotate much. It's just a maintenance hassle.
and my greater point is that a Cx or Ux results in not confining logrotate much
either.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190410/5451cfff/attachment.sig>
More information about the AppArmor
mailing list