Hi I would like to ask a question about capability that should be used according to this yesterday log message:
Nov 20 12:46:39 t4 kernel: [ 1603.727849] type=1400 audit(1479642399.936:90): apparmor="DENIED" operation="capable" parent=3192 profile="/etc/cron.daily/logrotate" pid=3197 comm="logrotate" capability=0 capname="chown" It should be: 'capability chown,'. Am I right? If yes then logrotate profile need, at least, three capabilities: capability dac_override, capability dac_read_search, capability chown, And, if rules mentioned earlier are OK to use, then we also need to add: /usr/bin/head mrix, /usr/sbin/invoke-rc.d mrix, /bin/sleep mrix, ## According to: requested_mask="r" denied_mask="r" /var/lib/logrotate/ r, /var/lib/logrotate/* rw, ## And this one: name="/var/lib/logrotate/status" ## requested_mask="wc" denied_mask="wc" /var/lib/logrotate/status ??, What is your opinion about this? Maybe the lack of 'capability chown' is responsible for changing /var/log/kern.log and syslog files permissions etc.? I hope, at least, that's all the things, and the logrotate profile can be updated. Best regards.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
