On Wed, Apr 10, 2019 at 06:31:59PM +0000, daniel curtis wrote: > Two years ago, Mr Seth Arnold, Mr Christian Boltz and I, started to work on > Logrotate profile updates, because profile, which was then available did > not have many necessary rules etc. However, We managed to achieve a > satisfactory result (see 1.)
Hello Daniel, > # apparmor="DENIED" operation="open" > # profile="/etc/cron.daily/logrotate" > # name="/proc/sys/kernel/osrelease" comm="systemctl" > # requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I think a mistake was made here, and it influenced nearly everything beyond this point. systemctl should not be an 'ix' rule. It requires way more privileges for it to do its work than logrotate needs to do its work. Cx, maybe. Ux, maybe. But ix is setting yourself up for adding so many privileges to logrotate that the profile isn't actually confining logrotate much. It's just a maintenance hassle. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor