Hi Today I've noticed a strange thing - new DENIED entries, related to the logrotate, in log files such as '/var/log/kern.log' and '/var/log/syslog'. Honestly, I wonder why these entries have appeared after such a long time.
I thought, that a profile for logrotate has been updated properly. Maybe these entries are related only with my system? Anyway, here they are: Jan 29 10:48:01 t4 kernel: [ 1250.836612] type=1400 audit(1485683281.058:52): apparmor="DENIED" operation="open" parent=3136 profile="/etc/cron.daily/logrotate" name="/etc/rc2.d/" pid=3137 comm="invoke-rc.d" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 29 10:48:01 t4 kernel: [ 1250.836710] type=1400 audit(1485683281.058:53): apparmor="DENIED" operation="exec" parent=3136 profile="/etc/cron.daily/logrotate" name="/usr/bin/xargs" pid=3138 comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Jan 29 10:48:01 t4 kernel: [ 1250.839351] type=1400 audit(1485683281.058:54): apparmor="DENIED" operation="open" parent=3139 profile="/etc/cron.daily/logrotate" name="/etc/rc2.d/" pid=3140 comm="invoke-rc.d" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 29 10:48:01 t4 kernel: [ 1250.841317] type=1400 audit(1485683281.062:55): apparmor="DENIED" operation="exec" parent=3139 profile="/etc/cron.daily/logrotate" name="/usr/bin/xargs" pid=3141 comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Jan 29 10:48:01 t4 kernel: [ 1250.842134] type=1400 audit(1485683281.062:56): apparmor="DENIED" operation="open" parent=3142 profile="/etc/cron.daily/logrotate" name="/etc/rcS.d/" pid=3143 comm="invoke-rc.d" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 29 10:48:01 t4 kernel: [ 1250.842382] type=1400 audit(1485683281.062:57): apparmor="DENIED" operation="exec" parent=3142 profile="/etc/cron.daily/logrotate" name="/usr/bin/xargs" pid=3144 comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 So, a question is: a new rules should be added to the profile? If yes, how to do this in a secure way? Here is my proposition: /etc/rc2.d/ r, /etc/rc2.d/* r, /usr/bin/xargs mrix, What is your opinion? It seems that, for now, nothing is being logged i.e. in '/var/log/kern.log' file etc. Probably, because of these DENIED actions. By the way, here is an updated version of a profile (by Christian Boltz): https://lists.ubuntu.com/archives/apparmor/2016-December/010420.html If this is an important issue, then logrotate profile needs a new update. Best regards.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
