Hi
I would like to ask a question about capability that should be used
according to this yesterday log message:
Nov 20 12:46:39 t4 kernel: [ 1603.727849] type=1400
audit(1479642399.936:90): apparmor="DENIED" operation="capable" parent=3192
profile="/etc/cron.daily/logrotate" pid=3197
Hello
I'm so sorry for a messages write one by one, but I think that it's pretty
important. So, according to log entries from my previous message (logs
related to changed two files permissions etc.) a new rules should/could
looks like:
## BECAUSE OF: requested_mask="x" denied_mask="x"
Hi Seth and Christian
Today I've decided to test logrotate profile (before send a patch) once
again. After creating profile, put in enforce mode (via 'aa-enforce'
command) I've noticed that permission for two files form the /var/log/
directory was changed. (The same situation as before). I've
Hello,
Am Donnerstag, 17. November 2016, 12:44:18 CET schrieb daniel curtis:
> Yes, you're right - my profile is based on a logrotate profile, which
> can be found here [1]. But, as you probably noticed, I've had to add
> a couple rules - for example - /bin/dash and capabilities etc.
I know.
Hi Christian
Yes, you're right - my profile is based on a logrotate profile, which can
be found here [1]. But, as you probably noticed, I've had to add a couple
rules - for example - /bin/dash and capabilities etc.
Of course I can send a patch or even the whole profile (I think it can be
better,
Hello,
Am Dienstag, 15. November 2016, 15:40:23 CET schrieb daniel curtis:
> Thank You once again for all your help. I really appreciate it. So if
> it's about a logrotate profile: each mentioned rule seems to be okay
> and I can use them. Additionally, I should add a capabilities
> (capability
Hi Seth,
Thank You once again for all your help. I really appreciate it. So if it's
about a logrotate profile: each mentioned rule seems to be okay and I can
use them. Additionally, I should add a capabilities (capability
dac_override and capability dac_read_search) but not use 'owner' with
Hi Daniel,
On Fri, Nov 11, 2016 at 11:43:23AM +0100, daniel curtis wrote:
> So, if it's about both capability (capability dac_override and capability
> dac_read_search) rules: I should add them to a logrotate profile, right?
> And the rest of rules? You have written a comment about them, but
Hi Seth,
>> I forgot to mention that "normal user" is a bit of a misnomer (...)
In my case it was the first user created during system install. (A member
of - among others - "adm" group etc.) And I could not open these files,
because of "permission denied" messages. Of course, as I mentioned
Hi Daniel,
On Thu, Nov 10, 2016 at 09:19:21PM +0100, daniel curtis wrote:
> No, I haven't installed any program etc., that try to 'correct' system
> security and so on (not to mention security updates etc.) Strange. But...
> chown(1) command (which you provided) and system restart seems to help -
Hi Seth,
No, I haven't installed any program etc., that try to 'correct' system
security and so on (not to mention security updates etc.) Strange. But...
chown(1) command (which you provided) and system restart seems to help - I
can open these files as a normal user and permission via ls(1)
On Thu, Nov 10, 2016 at 11:21:15AM +0100, daniel curtis wrote:
> $ ls -al /var/log/kern.log
> -rw--- 1 root root 0 lis 9 11:44 /var/log/kern.log
>
> $ ls -al /var/log/kern.log.1
> -rw-r- 1 syslog adm 1473399 lis 9 12:27 /var/log/kern.log.1 ## this
> file can be opened by me
>
> $ ls
Hello Seth,
Thank you very much for an answer. Listen: something strange happened with
two files from /var/log/ directory: kern.log and syslog. I can not open
them (as always) as a normal user - I'm getting "permission denied"
message. There is also a little 'x' on an icons.
Something changed
On Wed, Nov 09, 2016 at 12:21:39PM +0100, daniel curtis wrote:
> Thanks for an answer. So these are rules, which I should add to the
> /etc/cron.daily/logrotate profile, right?
>
> /var/lib/logrotate/ r,
> /var/lib/logrotate/status.clean w, ## NOTE: in my system there is no such
> file - there
Hi Seth,
Thanks for an answer. So these are rules, which I should add to the
/etc/cron.daily/logrotate profile, right?
/var/lib/logrotate/ r,
/var/lib/logrotate/status.clean w, ## NOTE: in my system there is no such
file - there is only 'status'
/bin/sed mixr,
/bin/mv mixr,
Hi Daniel,
On Tue, Nov 08, 2016 at 03:31:42PM +0100, daniel curtis wrote:
> I'm using pretty simple profile (similar to this one [1]). So, should I add
> something like this to my existing profile?:
>
> 1) /var/lib/logrotate/status rw, ## it's sufficient to *_mask="c"?
Don't forget that the
Hi,
Today I've noticed - in log files - some AppArmor entries related to the
/etc/cron.daily/logrotate profile. I would like to ask about rules, which I
should add to this profile. And here are messages from /var/log/kern.log
and /var/log/syslog files (I omitted some info, like date, paretn=
17 matches
Mail list logo