[apparmor] [profile] logrotate: new rules needed.

[kleenex at keemail.me]

Hello.I'm sorry for such a long time without answer. So, after five, six daysof tests based on the removal (hashing) some rules e.g. 'ptrace', itturned out, that these rules are needed. Firstly, after removing rules,everything was okay - log files were rotated, informations logged etc.However, today I noticed exactly the same symptoms, which I describedin my first mail: '/var/log/syslog' file was empty all the time -nothing has been logged during the whole User session and so on.Additionaly, there was a plenty of the same "DENIED" messages (see myfirst mail). So, the situation has been repeated.Mr Jamie Strandboge, you had asked about 'ptrace' rule:>> Does the ptrace show up if you have all the other rules? (...)>> I was curious if there was still a ptrace denial.When 'ptrace' rule (and these for 'net_admin' capability,'/run/systemd/private' and '/run/dbus/system_bus_socket' files) wasremoved/hashedthere was not any "DENIED" entries and logrotate works as always -automatic rotation and compression of log files etc. Until today.So, what do you think about all these rules? Are they okay and secureto use? Maybe there is another way to handle this? But, I see, thatthere are some doubts. (I mean Mr Strandboge and Mr Arnold answers).Thanks, best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190425/f08a38af/attachment.html>