several additions for the syslog-ng profiles

The latest syslog-ng version needs some more permissions: - abstractions/openssl (for reading openssl.conf) - reading /etc/syslog-ng/conf.d/ - reading the journal - reading /etc/machine-id (it's unclear why this is needed, therefore I don't want abstractions/dbus-session-strict for now) - write access to /run/syslog-ng.ctl References: https://bugzilla.opensuse.org/show_bug.cgi?id=948584 https://bugzilla.opensuse.org/show_bug.cgi?id=948753 Acked-By: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.9
2025-08-30 05:47:59 +00:00 · 2015-10-07 22:18:22 +02:00 · 2015-10-07 22:18:22 +02:00 · 807c2dccf0
commit 807c2dccf0
parent 9a13402170
1 changed files with 8 additions and 0 deletions
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@ -20,6 +20,7 @@ profile syslog-ng /{usr/,}sbin/syslog-ng {
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/mysql>
+  #include <abstractions/openssl>

  capability chown,
  capability dac_override,
@ -37,7 +38,10 @@ profile syslog-ng /{usr/,}sbin/syslog-ng {
  /dev/syslog w,
  /dev/tty10 rw,
  /dev/xconsole rw,
+  /etc/machine-id r,
  /etc/syslog-ng/* r,
+  /etc/syslog-ng/conf.d/ r,
+  /etc/syslog-ng/conf.d/* r,
  @{PROC}/kmsg r,
  /etc/hosts.deny r,
  /etc/hosts.allow r,
@ -50,6 +54,10 @@ profile syslog-ng /{usr/,}sbin/syslog-ng {
  @{CHROOT_BASE}/var/log/** w,
  @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
  @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+  /var/log/journal/ r,
+  /var/log/journal/*/ r,
+  /var/log/journal/*/*.journal r,
+  /{var/,}run/syslog-ng.ctl a,
  /{var/,}run/syslog-ng/additional-log-sockets.conf r,

  # Site-specific additions and overrides. See local/README for details.