Hello all.
A couple of days ago, I decided to test '/etc/cron.daily/logrotate'
profile, to see how it will be working on 16.04 LTS Release, because all
the work was done a few months ago, but on "Precise Pangolin."
Anyway, everything seemed to be fine, until I've noticed some problems with
logs: 'kern.log.1' file was full of "DENIED" entries ('syslog' and
'syslog.1' files were empty.)
It reminds me of the situation, which happened last year, during testing
and updating a default profile (see:
'/usr/share/doc/apparmor-profiles/extras/etc.cron.daily.logrotate') when
log files were not even rotated and so on, until new rules had been added
to the profile etc.
As I already wrote; during various tests, new "DENIED" entries appeared. It
seems that logrotate, installed and used on 16.04 LTS Release, needs more
rules than previous versions. Here are these log entries, but without
system hostname, pid numbers, date and time etc.:
✗ apparmor="DENIED" operation="capable" profile="/etc/cron.daily/logrotate"
comm="logrotate" capability=7 capname="setuid"
✗ apparmor="DENIED" operation="capable" profile="/etc/cron.daily/logrotate"
comm="logrotate" capability=7 capname="setuid"
✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate"
name="/bin/which" comm="invoke-rc.d" requested_mask="x" denied_mask="x"
fsuid=0 ouid=0
✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate"
name="/bin/which" comm="invoke-rc.d" requested_mask="x" denied_mask="x"
fsuid=0 ouid=0
✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate"
name="/bin/systemctl" comm="invoke-rc.d" requested_mask="x" denied_mask="x"
fsuid=0 ouid=0
✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate"
name="/bin/systemctl" comm="invoke-rc.d" requested_mask="x" denied_mask="x"
fsuid=0 ouid=0
✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate"
name="/usr/bin/basename" comm="invoke-rc.d" requested_mask="x"
denied_mask="x" fsuid=0 ouid=0
✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate"
name="/bin/systemctl" comm="invoke-rc.d" requested_mask="x" denied_mask="x"
fsuid=0 ouid=0
✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate"
name="/bin/systemctl" comm="invoke-rc.d" requested_mask="x" denied_mask="x"
fsuid=0 ouid=0
✗ apparmor="DENIED" operation="open" profile="/etc/cron.daily/logrotate"
name="/etc/default/rsyslog" comm="rsyslog" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
I think rule for "/usr/sbin/invoke-rc.d" used along with "mrix" mode, is
not working on 16.04 LTS, because there is many "DENIED" commands, related
to this generic interface, used to execute System V style init script:
'invoke-rc.d'. (See above.)
I think, there should be "Ux" mode used, as it's done with rules for
'/{usr/,}sbin/initctl' and '/{usr/,}sbin/runlevel' (Mr Seth Arnold answered
about using "Ux" mode, see: 1.), or a separate rules with "mrix" mode for
all logged commands should be created etc. What do you think about this?
Anyway, according to all these issues, mentioned above I'm suggesting these
rules:
✓ capability setuid,
# There is many "DENIED" actions, when "mrix" mode is in use.
# Change to "Ux" or create a separate rules for all logged
# commands? What is your opinion?
✗ /usr/sbin/invoke-rc.d mrix,
✓ /usr/sbin/invoke-rc.d Ux,
✓ /etc/default/rsyslog r,
By the way: I'm wondering why logrotate, do not need also "capability
setgid," rule? Both: "setuid" and "setgid" are used to drop privileges,
right? Is it true or I'm wrong?
One more thing: Mr Christian Boltz already had updated logrotate profile
(see: 2.) but, in the meantime, new rules appeared. There have to be added
a three new rules also - this is a case from the previous months and tests
(see: 3.) Here are these rules:
✓ /etc/rc?.d/ r,
✓ /usr/bin/xargs mrix,
✓ /bin/echo mrix,
If all these new rules are OK, I could paste a new, updated profile. (I'll
just use the diff(1) utility etc.) So, Mr Christian Boltz will be able to
place this new profile as a next revision on Launchpad or whatever (see:
4.)
Thanks, best regards.
____________________
1. https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
2. https://lists.ubuntu.com/archives/apparmor/2016-December/010388.html
3. https://lists.ubuntu.com/archives/apparmor/2017-January/010515.html
3a. https://lists.ubuntu.com/archives/apparmor/2017-February/010524.html
4.
http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.11/revision/3614/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
