On 08/27/2014 04:34 PM, Jamie Strandboge wrote: > Starting a subthread for some additions to John's patches. This series assumes > John's 12 patches are applied and includes updates to the apparmor.d man page > and some policy updates. I expect I might have to adjust this a bit, but > wanted > to send it up for comment. Let's have an ACK mean to apply it once it is safe > to > do so. > When testing rsyslog confinement, I noticed it needed this added to its policy: unix (receive) type=dgram, unix (receive) type=stream,
I don't have syslogd and syslog-ng systems to test this on, but it seemed to make sense to add the above for sbin.syslogd and sbin.syslog-ng. If someone can confirm or even confirm that type=stream should *not* be used with either/both of these, I can adjust the policy as needed. -- Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge <[email protected]> Description: add unix rules for syslog Index: apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslogd =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/sbin.syslogd +++ apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslogd @@ -23,6 +23,9 @@ capability setgid, capability syslog, + unix (receive) type=dgram, + unix (receive) type=stream, + /dev/log wl, /var/lib/*/dev/log wl, Index: apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslog-ng =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/sbin.syslog-ng +++ apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslog-ng @@ -30,6 +30,9 @@ capability sys_resource, capability syslog, + unix (receive) type=dgram, + unix (receive) type=stream, + /dev/log w, /dev/syslog w, /dev/tty10 rw,
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
