From 807c2dccf0dfc746ff9f0f7178aa7f9571ff0cf6 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 7 Oct 2015 22:18:22 +0200 Subject: [PATCH] several additions for the syslog-ng profiles The latest syslog-ng version needs some more permissions: - abstractions/openssl (for reading openssl.conf) - reading /etc/syslog-ng/conf.d/ - reading the journal - reading /etc/machine-id (it's unclear why this is needed, therefore I don't want abstractions/dbus-session-strict for now) - write access to /run/syslog-ng.ctl References: https://bugzilla.opensuse.org/show_bug.cgi?id=948584 https://bugzilla.opensuse.org/show_bug.cgi?id=948753 Acked-By: Seth Arnold for trunk and 2.9 --- profiles/apparmor.d/sbin.syslog-ng | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng index ce4bd42b3..ab53e570b 100644 --- a/profiles/apparmor.d/sbin.syslog-ng +++ b/profiles/apparmor.d/sbin.syslog-ng @@ -20,6 +20,7 @@ profile syslog-ng /{usr/,}sbin/syslog-ng { #include #include #include + #include capability chown, capability dac_override, @@ -37,7 +38,10 @@ profile syslog-ng /{usr/,}sbin/syslog-ng { /dev/syslog w, /dev/tty10 rw, /dev/xconsole rw, + /etc/machine-id r, /etc/syslog-ng/* r, + /etc/syslog-ng/conf.d/ r, + /etc/syslog-ng/conf.d/* r, @{PROC}/kmsg r, /etc/hosts.deny r, /etc/hosts.allow r, @@ -50,6 +54,10 @@ profile syslog-ng /{usr/,}sbin/syslog-ng { @{CHROOT_BASE}/var/log/** w, @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw, @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw, + /var/log/journal/ r, + /var/log/journal/*/ r, + /var/log/journal/*/*.journal r, + /{var/,}run/syslog-ng.ctl a, /{var/,}run/syslog-ng/additional-log-sockets.conf r, # Site-specific additions and overrides. See local/README for details.