more polishing

2025-01-29 22:35:15 +01:00 · 2022-05-30 00:19:16 +03:00 · 2022-05-30 00:19:16 +03:00 · 8b58289500
commit 8b58289500
parent 722ce7f78f
2 changed files with 7 additions and 5 deletions
--- a/apparmor.d/groups/ssh/sftp-server
+++ b/apparmor.d/groups/ssh/sftp-server
@ -13,7 +13,7 @@ profile sftp-server @{exec_path} {
  include <abstractions/nameservice-strict>

  capability dac_read_search,
-# deny capability dac_override,
+  capability dac_override,

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -39,9 +39,12 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
  /{usr/,}bin/zstd                   rix,
  /{usr/,}{s,}bin/invoke-rc.d        rix,
  /{usr/,}lib/rsyslog/rsyslog-rotate rix,
-  /{usr/,}bin/fail2ban-client                rPx,
-  /{usr/,}bin/systemd-tty-ask-password-agent rPx,
-  /{usr/,}bin/my_print_defaults              rPUx,
+
+  /{usr/,}bin/fail2ban-client                   rPx,
+  /{usr/,}bin/systemd-tty-ask-password-agent    rPx,
+  /{usr/,}bin/my_print_defaults                 rPUx,
+  /{usr/,}bin/mysqladmin                        rPUx,
+  /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx,

  # no new privs
  #/{usr/,}bin/systemctl              rCx -> systemctl,
@ -50,7 +53,6 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
  include <abstractions/wutmp>
  ptrace (read),
  capability sys_ptrace,
-#  capability net_admin,
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/1/environ r,
        @{PROC}/1/sched r,