Hello all. A couple of days ago, I decided to test '/etc/cron.daily/logrotate' profile, to see how it will be working on 16.04 LTS Release, because all the work was done a few months ago, but on "Precise Pangolin."
Anyway, everything seemed to be fine, until I've noticed some problems with logs: 'kern.log.1' file was full of "DENIED" entries ('syslog' and 'syslog.1' files were empty.) It reminds me of the situation, which happened last year, during testing and updating a default profile (see: '/usr/share/doc/apparmor-profiles/extras/etc.cron.daily.logrotate') when log files were not even rotated and so on, until new rules had been added to the profile etc. As I already wrote; during various tests, new "DENIED" entries appeared. It seems that logrotate, installed and used on 16.04 LTS Release, needs more rules than previous versions. Here are these log entries, but without system hostname, pid numbers, date and time etc.: ✗ apparmor="DENIED" operation="capable" profile="/etc/cron.daily/logrotate" comm="logrotate" capability=7 capname="setuid" ✗ apparmor="DENIED" operation="capable" profile="/etc/cron.daily/logrotate" comm="logrotate" capability=7 capname="setuid" ✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate" name="/bin/which" comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 ✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate" name="/bin/which" comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 ✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate" name="/bin/systemctl" comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 ✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate" name="/bin/systemctl" comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 ✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate" name="/usr/bin/basename" comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 ✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate" name="/bin/systemctl" comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 ✗ apparmor="DENIED" operation="exec" profile="/etc/cron.daily/logrotate" name="/bin/systemctl" comm="invoke-rc.d" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 ✗ apparmor="DENIED" operation="open" profile="/etc/cron.daily/logrotate" name="/etc/default/rsyslog" comm="rsyslog" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I think rule for "/usr/sbin/invoke-rc.d" used along with "mrix" mode, is not working on 16.04 LTS, because there is many "DENIED" commands, related to this generic interface, used to execute System V style init script: 'invoke-rc.d'. (See above.) I think, there should be "Ux" mode used, as it's done with rules for '/{usr/,}sbin/initctl' and '/{usr/,}sbin/runlevel' (Mr Seth Arnold answered about using "Ux" mode, see: 1.), or a separate rules with "mrix" mode for all logged commands should be created etc. What do you think about this? Anyway, according to all these issues, mentioned above I'm suggesting these rules: ✓ capability setuid, # There is many "DENIED" actions, when "mrix" mode is in use. # Change to "Ux" or create a separate rules for all logged # commands? What is your opinion? ✗ /usr/sbin/invoke-rc.d mrix, ✓ /usr/sbin/invoke-rc.d Ux, ✓ /etc/default/rsyslog r, By the way: I'm wondering why logrotate, do not need also "capability setgid," rule? Both: "setuid" and "setgid" are used to drop privileges, right? Is it true or I'm wrong? One more thing: Mr Christian Boltz already had updated logrotate profile (see: 2.) but, in the meantime, new rules appeared. There have to be added a three new rules also - this is a case from the previous months and tests (see: 3.) Here are these rules: ✓ /etc/rc?.d/ r, ✓ /usr/bin/xargs mrix, ✓ /bin/echo mrix, If all these new rules are OK, I could paste a new, updated profile. (I'll just use the diff(1) utility etc.) So, Mr Christian Boltz will be able to place this new profile as a next revision on Launchpad or whatever (see: 4.) Thanks, best regards. ____________________ 1. https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html 2. https://lists.ubuntu.com/archives/apparmor/2016-December/010388.html 3. https://lists.ubuntu.com/archives/apparmor/2017-January/010515.html 3a. https://lists.ubuntu.com/archives/apparmor/2017-February/010524.html 4. http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.11/revision/3614/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor