i.e. move '*' from beginning to before suffix. Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added pattern, which is not compatible with SELinux. As this pattern has been in SELinux since 2011 (with recent change to accept '.log' suffix + logrotate patterns which are not relevant to AppArmor) IMHO it's better to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files") Signed-off-by: Petr Vorel <pvo...@suse.cz> --- Changes v1->v2: Address recent fix in SELinux policy da49b37d ("dnsmasq: Require log files to have .log suffix") Kind regards, Petr --- profiles/apparmor.d/usr.sbin.dnsmasq | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq index fba51259..f14a370a 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -45,7 +45,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { /usr/{bin,sbin}/dnsmasq mr, - /var/log/*dnsmasq.log w, + /var/log/dnsmasq*.log w, /usr/share/dnsmasq/ r, /usr/share/dnsmasq/* r, -- 2.19.1 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor