[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

Christian Boltz apparmor at cboltz.de
Fri Nov 18 10:57:39 UTC 2016 

Hello,

Am Donnerstag, 17. November 2016, 12:44:18 CET schrieb daniel curtis:
> Yes, you're right - my profile is based on a logrotate profile, which
> can be found here [1]. But, as you probably noticed, I've had to add
> a couple rules - for example - /bin/dash and capabilities etc.

I know. This profile wasn't updated for years, so it's not surprising 
that it needs quite some updates.

> Of course I can send a patch or even the whole profile (I think it can
> be better, because of my comments made on every added rules). Some of
> the directory or files which are in the profile, are not in my system
> i.e.: /{run,var}/lock/samba and so on - that's why I had to add
> various comments.
> 
> One more thing: if it's about patch, I should do it - for example -
> this way?
> 
> +++ /bin/dash mrix,
> +++ /bin/sed mixr,
> +++ /bin/mv mixr,

You can use the   diff   tool to create a patch:

    diff -u oldfile newfile > patch

Please make sure to always use the -u option ("unified diff", that's the 
patch format people expect and can read easily)

> Or maybe it's better to send a whole profile? 

That's another option - usually not the best one [1], but in this case 
it's OK.

> There were some problems
> with log files permissions etc. (see previous messages) and I decided
> to remove logrotate profile for now. So we will need additional
> tests.

Even if the profile is still incomplete, it will be much better with your 
additions ;-)

Oh, BTW: since you added quite some rules, please add a copyright line 
at the beginning of the profile.


Regards,

Christian Boltz

[1] When sending the changed file, it can be hard to find out what you 
    really changed and what differences come from using an old file as 
    base. This means we'd have to guess which version of the file you
    based your changes on before we can check what you changed.

    In comparison, a patch contains only what you changed, and typically 
    also can be applied to a newer version of the file.

    In this case, it doesn't really matter because the logrotate profile
    didn't change since years - but in general, sending a patch is 
    better than sending the modified file.

-- 
[ Yes ] [ No ]
... used for harmless errors or simple questions: "It's high time you
had your cup of coffee! Would you like your KDE to prepare one for you?"
[Lukas Ocilka in opensuse-factory - YaST2 button styleguide]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161118/dc317b66/attachment.pgp>

More information about the AppArmor mailing list