[apparmor] [PATCH v2 1/1] dnsmasq: Adjust pattern for log files to comply SELinux

Petr Vorel Mon, 19 Nov 2018 09:54:06 -0800

i.e. move '*' from beginning to before suffix.

Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.


Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")

Signed-off-by: Petr Vorel <[email protected]>
---
Changes v1->v2:
Address recent fix in SELinux policy
da49b37d ("dnsmasq: Require log files to have .log suffix")


Kind regards,
Petr
---
 profiles/apparmor.d/usr.sbin.dnsmasq | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq 
b/profiles/apparmor.d/usr.sbin.dnsmasq
index fba51259..f14a370a 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -45,7 +45,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq 
flags=(attach_disconnected) {
 
   /usr/{bin,sbin}/dnsmasq mr,
 
-  /var/log/*dnsmasq.log w,
+  /var/log/dnsmasq*.log w,
 
   /usr/share/dnsmasq/ r,
   /usr/share/dnsmasq/* r,
-- 
2.19.1


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [PATCH v2 1/1] dnsmasq: Adjust pattern for log files to comply SELinux

Reply via email to