On Mon, Nov 21, 2016 at 01:06:03PM +0100, daniel curtis wrote: > Nov 20 12:46:39 t4 kernel: [ 1603.727849] type=1400 > audit(1479642399.936:90): apparmor="DENIED" operation="capable" parent=3192 > profile="/etc/cron.daily/logrotate" pid=3197 comm="logrotate" capability=0 > capname="chown" > > It should be: 'capability chown,'. Am I right? If yes then logrotate > profile need, at least, three capabilities: > > capability dac_override, > capability dac_read_search, > capability chown,
Correct. > And, if rules mentioned earlier are OK to use, then we also need to add: > > /usr/bin/head mrix, > /usr/sbin/invoke-rc.d mrix, > /bin/sleep mrix, Correct. > > ## According to: requested_mask="r" denied_mask="r" > /var/lib/logrotate/ r, > /var/lib/logrotate/* rw, Correct. > > ## And this one: name="/var/lib/logrotate/status" > ## requested_mask="wc" denied_mask="wc" > /var/lib/logrotate/status ??, Handled by the previous rule. > What is your opinion about this? Maybe the lack of 'capability chown' is > responsible for changing /var/log/kern.log and syslog files permissions > etc.? I hope, at least, that's all the things, and the logrotate profile > can be updated. Well, strictly speaking, because the chown capability was denied, that's what _prevented_ changing the ownership on /var/log/kern.org and /var/log/syslog. :) logrotate wasn't able to fix the ownerships as a result Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
