[apparmor] [patch] syslog-ng - capability dac_read_search
Christian Boltz
apparmor at cboltz.de
Fri Jan 6 00:30:07 UTC 2012
Hello,
Am Donnerstag, 5. Januar 2012 schrieb Steve Beattie:
> On Thu, Jan 05, 2012 at 12:26:45PM +0100, Christian Boltz wrote:
> > according to Peter Czanik, the openSUSE syslog-ng maintainer,
> > syslog-ng needs capability dac_read_search.
> >
> > I also nominate this patch for the 2.7 branch.
>
> I think this is okay (we already have dac_override) but is there a
> reference bug report or some other piece of documentation that might
> explain why?
Peter didn't mention details on the mailinglist. It _seems_ to be caused
by a new syslog-ng version. Some searching brought up
https://bugzilla.novell.com/show_bug.cgi?id=731876 (search for
"capability" there).
Some quotes from the bugreport:
-----------------------------------------------------------------------
Error managing capability set, cap_set_proc returned an error; caps='=
cap_syslog+ep
cap_chown,cap_dac_override,cap_fowner,cap_net_bind_service+p
cap_dac_read_search+e', error='Operation not permitted (1)'
-----------------------------------------------------------------------
There was also a capability related message: it's coming from AppArmor.
It's ugly, but still works fine. I try to investigate this, but
audit.log does not show anything...
-----------------------------------------------------------------------
The last sentense is quite interesting[tm]...
Regards,
Christian Boltz
--
"Die meisten Menschen pflegen im Kindesalter vom Zeigen auf Gegenstände
(Mausbewegung) und 'ga' sagen (Mausklick) abzukommen, zugunsten eines
mächtigeren und langwierig zu erlernenden Tools (Sprache)".
[Achim Linder in de.comp.os.unix.linux.misc]
More information about the AppArmor
mailing list