Hi Daniel, On Tue, Nov 08, 2016 at 03:31:42PM +0100, daniel curtis wrote: > I'm using pretty simple profile (similar to this one [1]). So, should I add > something like this to my existing profile?: > > 1) /var/lib/logrotate/status rw, ## it's sufficient to *_mask="c"?
Don't forget that the error message that was logged was about /var/lib/logrotate/status.clean -- so be sure you add a rule that allows this file as well. (The 'c' mode reported by the kernel doesn't actually exist in the policy language; 'w' will cover it. We may introduce 'c' in the future, thus we've kept this separate in the logs.) > 2) /bin/sed x, ## or: mixr, > 3) /bin/mv x, ## or: mixr, I'd use the 'mixr' mode for /bin/sed and /bin/mv. > 4) /var/lib/logrotate/ r, > /var/lib/logrotate/* r, It might be worth granting write access to files in this directory -- after all, if logrotate itself doesn't write to this directory then why would it exist? > 5) /etc/logrotate.d/ r, > /etc/logrotate.d/* r, Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
