Hi Seth, >> I forgot to mention that "normal user" is a bit of a misnomer (...)
In my case it was the first user created during system install. (A member of - among others - "adm" group etc.) And I could not open these files, because of "permission denied" messages. Of course, as I mentioned earlier, everything has worked via sudo(8). But this problem is already solved - thanks to You. I thought about umask(2), because a looong time ago I've changed its value to 077 and I think, that logrotate - because of /var/log/ rule - created a 'new' kern.log nad syslog files with root permission etc. It seems to be not important anymore. So, if it's about both capability (capability dac_override and capability dac_read_search) rules: I should add them to a logrotate profile, right? And the rest of rules? You have written a comment about them, but nothing about if I should change something etc. Besides @{PROC} and 'owner' :- ) >> Probably a bad idea to use 'owner' for these rules (...) Let's summarize: if I decide to use a logrotate profile then I can/should add rules mentioned in my previous message without any changes, right? (Not to mention @{PROC}). Seth, thank You once again for all the answers and help. Best regards.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor