[apparmor] Ubuntu profile for squid3
Jamie Strandboge
jamie at canonical.com
Thu May 3 20:18:46 UTC 2012
On Thu, 2012-05-03 at 15:59 -0400, Simon Deziel wrote:
> On 12-05-03 03:46 PM, Jamie Strandboge wrote:
> > ACK, though I did add a squidguard child profile:
>
> Great, I'll give that a try.
>
> > # squidguard
> > /usr/bin/squidGuard Cx -> squidguard,
> > profile squidguard {
> > #include <abstractions/base>
> >
> > /etc/squid/squidGuard.conf r,
> > /var/log/squid{,3}/squidGuard.log w,
> > /var/lib/squidguard/** rw,
> >
> > # squidguard by default uses /var/log/squid as its logdir, however, we
> > # don't want it to modify squid's logs, only its own. Explicitly deny
> > # writes to squid's files but allow all others since the user may specify
> > # anything via the squidGuard 'log' directive.
> > /var/log/squid{,3}/* rw,
> > audit deny /var/log/squid{,3}/{access,cache,store}.log* w,
>
> While I don't know squidguard at all, I'm a bit surprised it requires
> read access to the logs. If it does then maybe it shouldn't be able to
> read those belonging to squid itself ?
Hrmm, I thought I saw it needed access to access.log, but it doesn't
after all. Updating to use:
# squidguard by default uses /var/log/squid as its logdir, however, we
# don't want it to access squid's logs, only its own. Explicitly deny
# access to squid's files but allow all others since the user may specify
# anything for the squidGurad 'log' directive.
/var/log/squid/* rw,
audit deny /var/log/squid/{access,cache,store}.log* rw,
Nice catch.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120503/87ecbe49/attachment.pgp>
More information about the AppArmor
mailing list