[apparmor] [patch] capability syslog for syslog* profiles
John Johansen
john.johansen at canonical.com
Thu Aug 18 22:24:23 UTC 2011
On 08/18/2011 03:18 PM, Christian Boltz wrote:
> Hello,
>
> the attached patch adds "capability syslog" to the syslogd and syslog-ng
> profiles.
>
> It also adds a comment to the klogd profile that capability sys_admin is
> only needed for backward compatibility with older kernels.
>
>
> Regards,
>
> Christian Boltz
> -- Nobody will ever need more than 640 kB RAM. -- Bill Gates, 1983 Windows XP requires 64 MB RAM. -- Bill Gates, 2001 Nobody will ever need Windows XP. -- logical conclusion
>
>
> profiles-add-syslog-capability.diff
>
>
> === modified file 'profiles/apparmor.d/sbin.klogd'
> --- profiles/apparmor.d/sbin.klogd 2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/sbin.klogd 2011-08-18 21:31:37 +0000
> @@ -14,7 +14,7 @@
> /sbin/klogd {
> #include <abstractions/base>
>
> - capability sys_admin,
> + capability sys_admin, # for backward compatibility with kernel <= 2.6.37
> capability syslog,
>
> network inet stream,
>
> === modified file 'profiles/apparmor.d/sbin.syslog-ng'
> --- profiles/apparmor.d/sbin.syslog-ng 2011-08-08 20:59:28 +0000
> +++ profiles/apparmor.d/sbin.syslog-ng 2011-08-18 21:26:39 +0000
> @@ -27,6 +27,7 @@
> capability fowner,
> capability sys_tty_config,
> capability sys_resource,
> + capability syslog,
>
> /dev/log w,
> /dev/syslog w,
>
> === modified file 'profiles/apparmor.d/sbin.syslogd'
> --- profiles/apparmor.d/sbin.syslogd 2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/sbin.syslogd 2011-08-18 21:26:23 +0000
> @@ -21,6 +21,7 @@
> capability dac_read_search,
> capability setuid,
> capability setgid,
> + capability syslog,
>
> /dev/log wl,
> /var/lib/*/dev/log wl,
>
>
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the AppArmor
mailing list