Hello I'm so sorry for a messages write one by one, but I think that it's pretty important. So, according to log entries from my previous message (logs related to changed two files permissions etc.) a new rules should/could looks like:
## BECAUSE OF: requested_mask="x" denied_mask="x" /usr/bin/head mrix, ## BECAUSE OF: requested_mask="wc" denied_mask="wc" It is ## suitable to use "rw" for the "wc"? /var/lib/logrotate/status rw, ## BECAUSE OF: requested_mask="r" denied_mask="r" /var/lib/logrotate/ r, /var/lib/logrotate/* rw, ## BECAUSE OF: requested_mask="x" denied_mask="x" /usr/sbin/invoke-rc.d mrix, ## BECAUSE OF: requested_mask="x" denied_mask="x" /bin/sleep mrix, ## BECAUSE OF: requested_mask="wc" denied_mask="wc" It is ## suitable to use "rw" for the "wc"? ## NOTE: I have rule for this file in my profile, but with "w" only ## so maybe "rw" is better? /var/lib/logrotate/status rw, And what about this one: /etc/cron.daily/logrotate capability=0 capname="chown"? So, which capabilities should be used in such situation? There is already: capability dac_override and capability dac_read_search in the logrotate profile. What do you think about rules mentioned above? Are they OK? If not then please write what rules should be used instead. I've never thought there will be so many problems with this profile. Best regards and once again - sorry for messages one by one.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
