On Wed, 10 Apr 2019, Seth Arnold wrote: > On Wed, Apr 10, 2019 at 06:31:59PM +0000, daniel curtis wrote: > > Two years ago, Mr Seth Arnold, Mr Christian Boltz and I, started to work on > > Logrotate profile updates, because profile, which was then available did > > not have many necessary rules etc. However, We managed to achieve a > > satisfactory result (see 1.) > > Hello Daniel, > > > # apparmor="DENIED" operation="open" > > # profile="/etc/cron.daily/logrotate" > > # name="/proc/sys/kernel/osrelease" comm="systemctl" > > # requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > I think a mistake was made here, and it influenced nearly everything > beyond this point. systemctl should not be an 'ix' rule. It requires way > more privileges for it to do its work than logrotate needs to do its work. > > Cx, maybe. Ux, maybe. But ix is setting yourself up for adding so many > privileges to logrotate that the profile isn't actually confining > logrotate much. It's just a maintenance hassle.
and my greater point is that a Cx or Ux results in not confining logrotate much either. -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor