From 8b58289500ab8453ed9db278b519af44b8884b53 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 30 May 2022 00:19:16 +0300 Subject: [PATCH] more polishing --- apparmor.d/groups/ssh/sftp-server | 2 +- apparmor.d/profiles-g-l/logrotate | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) mode change 100644 => 100755 apparmor.d/profiles-g-l/logrotate diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3c516fd2..82c31bb8 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -13,7 +13,7 @@ profile sftp-server @{exec_path} { include capability dac_read_search, -# deny capability dac_override, + capability dac_override, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate old mode 100644 new mode 100755 index 0fe18098..96d0818d --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -39,9 +39,12 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/zstd rix, /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, - /{usr/,}bin/fail2ban-client rPx, - /{usr/,}bin/systemd-tty-ask-password-agent rPx, - /{usr/,}bin/my_print_defaults rPUx, + + /{usr/,}bin/fail2ban-client rPx, + /{usr/,}bin/systemd-tty-ask-password-agent rPx, + /{usr/,}bin/my_print_defaults rPUx, + /{usr/,}bin/mysqladmin rPUx, + /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, @@ -50,7 +53,6 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { include ptrace (read), capability sys_ptrace, -# capability net_admin, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r,