i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
Signed-off-by: Petr Vorel <pvo...@suse.cz>
---
Changes v1->v2:
Address recent fix in SELinux policy
da49b37d ("dnsmasq: Require log files to have .log suffix")
Kind regards,
Petr
---
profiles/apparmor.d/usr.sbin.dnsmasq | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq
b/profiles/apparmor.d/usr.sbin.dnsmasq
index fba51259..f14a370a 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -45,7 +45,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq
flags=(attach_disconnected) {
/usr/{bin,sbin}/dnsmasq mr,
- /var/log/*dnsmasq.log w,
+ /var/log/dnsmasq*.log w,
/usr/share/dnsmasq/ r,
/usr/share/dnsmasq/* r,
--
2.19.1
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
