Re: [apparmor] [PATCH] 04/04 policy syslog unix socket policy updates

Wed, 03 Sep 2014 12:16:23 -0700 

On Wed, Aug 27, 2014 at 04:53:03PM -0500, Jamie Strandboge wrote:
> On 08/27/2014 04:34 PM, Jamie Strandboge wrote:
> 
> > Starting a subthread for some additions to John's patches. This series 
> > assumes
> > John's 12 patches are applied and includes updates to the apparmor.d man 
> > page
> > and some policy updates. I expect I might have to adjust this a bit, but 
> > wanted
> > to send it up for comment. Let's have an ACK mean to apply it once it is 
> > safe to
> > do so.
> > 
> When testing rsyslog confinement, I noticed it needed this added to its 
> policy:
>   unix (receive) type=dgram,
>   unix (receive) type=stream,
> 
> I don't have syslogd and syslog-ng systems to test this on, but it seemed to
> make sense to add the above for sbin.syslogd and sbin.syslog-ng. If someone 
> can
> confirm or even confirm that type=stream should *not* be used with either/both
> of these, I can adjust the policy as needed.
> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/


Acked-by: Seth Arnold <[email protected]>

Thanks

> Author: Jamie Strandboge <[email protected]>
> Description: add unix rules for syslog
> 
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslogd
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/sbin.syslogd
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslogd
> @@ -23,6 +23,9 @@
>    capability setgid,
>    capability syslog,
>  
> +  unix (receive) type=dgram,
> +  unix (receive) type=stream,
> +
>    /dev/log                      wl,
>    /var/lib/*/dev/log            wl,
>  
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslog-ng
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/sbin.syslog-ng
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/sbin.syslog-ng
> @@ -30,6 +30,9 @@
>    capability sys_resource,
>    capability syslog,
>  
> +  unix (receive) type=dgram,
> +  unix (receive) type=stream,
> +
>    /dev/log w,
>    /dev/syslog w,
>    /dev/tty10 rw,




> -- 
> AppArmor mailing list
> [email protected]
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/apparmor

Attachment: signature.asc
Description: Digital signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to