[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.
Seth Arnold
seth.arnold at canonical.com
Mon Nov 21 19:44:17 UTC 2016
On Mon, Nov 21, 2016 at 01:06:03PM +0100, daniel curtis wrote:
> Nov 20 12:46:39 t4 kernel: [ 1603.727849] type=1400
> audit(1479642399.936:90): apparmor="DENIED" operation="capable" parent=3192
> profile="/etc/cron.daily/logrotate" pid=3197 comm="logrotate" capability=0
> capname="chown"
>
> It should be: 'capability chown,'. Am I right? If yes then logrotate
> profile need, at least, three capabilities:
>
> capability dac_override,
> capability dac_read_search,
> capability chown,
Correct.
> And, if rules mentioned earlier are OK to use, then we also need to add:
>
> /usr/bin/head mrix,
> /usr/sbin/invoke-rc.d mrix,
> /bin/sleep mrix,
Correct.
>
> ## According to: requested_mask="r" denied_mask="r"
> /var/lib/logrotate/ r,
> /var/lib/logrotate/* rw,
Correct.
>
> ## And this one: name="/var/lib/logrotate/status"
> ## requested_mask="wc" denied_mask="wc"
> /var/lib/logrotate/status ??,
Handled by the previous rule.
> What is your opinion about this? Maybe the lack of 'capability chown' is
> responsible for changing /var/log/kern.log and syslog files permissions
> etc.? I hope, at least, that's all the things, and the logrotate profile
> can be updated.
Well, strictly speaking, because the chown capability was denied,
that's what _prevented_ changing the ownership on /var/log/kern.org
and /var/log/syslog. :) logrotate wasn't able to fix the ownerships as
a result
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161121/49a072ae/attachment.pgp>
More information about the AppArmor
mailing list