[apparmor] [patch] several additions for the syslog-ng profiles

[Christian Boltz]

Hello,

the latest syslog-ng version needs some more permissions:
- abstractions/openssl (for reading openssl.conf)
- reading /etc/syslog-ng/conf/
- reading the journal
- reading /etc/machine-id (it's unclear why this is needed, therefore
  I don't want abstractions/dbus-session-strict for now)
- write access to /run/syslog-ng.ctl

References: https://bugzilla.opensuse.org/show_bug.cgi?id=948584
            https://bugzilla.opensuse.org/show_bug.cgi?id=948753


I propose this patch for trunk and 2.9.


[ profiles-syslog-ng-bnc948584.diff ]

=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
--- profiles/apparmor.d/sbin.syslog-ng  2015-03-07 20:16:11 +0000
+++ profiles/apparmor.d/sbin.syslog-ng  2015-10-07 10:33:01 +0000
@@ -20,6 +20,7 @@
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
   #include <abstractions/mysql>
+  #include <abstractions/openssl>
 
   capability chown,
   capability dac_override,
@@ -37,7 +38,10 @@
   /dev/syslog w,
   /dev/tty10 rw,
   /dev/xconsole rw,
+  /etc/machine-id r,
   /etc/syslog-ng/* r,
+  /etc/syslog-ng/conf.d/ r,
+  /etc/syslog-ng/conf.d/* r,
   @{PROC}/kmsg r,
   /etc/hosts.deny r,
   /etc/hosts.allow r,
@@ -50,6 +54,10 @@
   @{CHROOT_BASE}/var/log/** w,
   @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
   @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+  /var/log/journal/ r,
+  /var/log/journal/*/ r,
+  /var/log/journal/*/*.journal r,
+  /{var/,}run/syslog-ng.ctl a,
   /{var/,}run/syslog-ng/additional-log-sockets.conf r,
 
   # Site-specific additions and overrides. See local/README for details.


Regards,

Christian Boltz
-- 
> Und wo legst Du das Backup ab, wenn die einzige Partition
> read-only gemountet ist? *SCNR*
Am besten auf /dev/null - das geht am schnellsten :-)
[> Christian Boltz und Rainer Kaluscha in suse-linux]


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor