[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.
Seth Arnold
seth.arnold at canonical.com
Tue Nov 8 19:39:24 UTC 2016
Hi Daniel,
On Tue, Nov 08, 2016 at 03:31:42PM +0100, daniel curtis wrote:
> I'm using pretty simple profile (similar to this one [1]). So, should I add
> something like this to my existing profile?:
>
> 1) /var/lib/logrotate/status rw, ## it's sufficient to *_mask="c"?
Don't forget that the error message that was logged was about
/var/lib/logrotate/status.clean -- so be sure you add a rule that allows
this file as well.
(The 'c' mode reported by the kernel doesn't actually exist in the policy
language; 'w' will cover it. We may introduce 'c' in the future, thus
we've kept this separate in the logs.)
> 2) /bin/sed x, ## or: mixr,
> 3) /bin/mv x, ## or: mixr,
I'd use the 'mixr' mode for /bin/sed and /bin/mv.
> 4) /var/lib/logrotate/ r,
> /var/lib/logrotate/* r,
It might be worth granting write access to files in this directory --
after all, if logrotate itself doesn't write to this directory then why
would it exist?
> 5) /etc/logrotate.d/ r,
> /etc/logrotate.d/* r,
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161108/267f35ee/attachment.pgp>
More information about the AppArmor
mailing list