apparmor/profiles/apparmor.d/sbin.syslog-ng

# ------------------------------------------------------------------
#
#    Copyright (C) 2006-2009 Novell/SUSE
#    Copyright (C) 2006 Christian Boltz
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

#define this to be where syslog-ng is chrooted
@{CHROOT_BASE}=""

/sbin/syslog-ng {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/mysql>

  capability chown,
  capability dac_override,
  capability fsetid,
  capability fowner,
  capability sys_tty_config,
  capability sys_resource,
  capability syslog,

  /dev/log w,
  /dev/syslog w,
  /dev/tty10 rw,
  /dev/xconsole rw,
  /etc/syslog-ng/* r,
  @{PROC}/kmsg r,
  /etc/hosts.deny r,
  /etc/hosts.allow r,
  /sbin/syslog-ng mr,
  /usr/share/syslog-ng/** r,
  # chrooted applications
  @{CHROOT_BASE}/var/lib/*/dev/log w,
  @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
  @{CHROOT_BASE}/var/log/** w,
  @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
  @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
  /{var,/}run/syslog-ng/additional-log-sockets.conf r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/sbin.syslog-ng>
}
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00			`# ------------------------------------------------------------------`
			`#`
start on 'local/' mechanism to aid in packaging: - add profiles/local/README - adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/ - adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace and svn conventions 2010-08-05 14:00:02 -05:00			`# Copyright (C) 2006-2009 Novell/SUSE`
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00			`# Copyright (C) 2006 Christian Boltz`
start on 'local/' mechanism to aid in packaging: - add profiles/local/README - adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/ - adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace and svn conventions 2010-08-05 14:00:02 -05:00			`# Copyright (C) 2010 Canonical Ltd.`
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

			`#include <tunables/global>`

Various profile updates touching on bnc#255270, bnc#331444, bnc#307365 bnc#230700 2008-04-10 08:54:05 +00:00			`#define this to be where syslog-ng is chrooted`
fix profile variables with no value to have empty string, as the parser doesn't support having no value yet 2008-05-07 18:38:53 +00:00			`@{CHROOT_BASE}=""`
Various profile updates touching on bnc#255270, bnc#331444, bnc#307365 bnc#230700 2008-04-10 08:54:05 +00:00
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00			`/sbin/syslog-ng {`
			`#include <abstractions/base>`
			`#include <abstractions/consoles>`
			`#include <abstractions/nameservice>`
syslog-ng profile fixes/additions updated to match master by Christian Boltz <apparmor@cboltz.de> updated to work with systemd (/{,var/}run/ instead of /var/run) Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie With this change: Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-08-08 22:59:28 +02:00			`#include <abstractions/mysql>`
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00
			`capability chown,`
			`capability dac_override,`
			`capability fsetid,`
[Bug 220331] syslog-ng cannot log news messages -- syslog-ng can easily log to other uids and gids 2006-11-27 10:21:07 +00:00			`capability fowner,`
update profiles for bugs that have been reported by various users 2008-02-19 10:35:19 +00:00			`capability sys_tty_config,`
syslog-ng profile fixes/additions updated to match master by Christian Boltz <apparmor@cboltz.de> updated to work with systemd (/{,var/}run/ instead of /var/run) Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie With this change: Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-08-08 22:59:28 +02:00			`capability sys_resource,`
This commit adds "capability syslog" to the syslogd and syslog-ng profiles. It also adds a comment to the klogd profile that capability sys_admin is only needed for backward compatibility with older kernels. Acked-by: John Johansen <john.johansen@canonical.com> 2011-08-19 00:27:03 +02:00			`capability syslog,`
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00
make the /dev/log w, dependency explicit, rather than rely on abstractions/base to provide it 2006-11-27 10:44:24 +00:00			`/dev/log w,`
add reject for Novell bnc#425041 2008-11-05 14:53:00 +00:00			`/dev/syslog w,`
Patch from Marius Tomaschewski for syslog-ng, which now uses pipe instead of file for writing to the console 2007-05-29 17:28:38 +00:00			`/dev/tty10 rw,`
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00			`/dev/xconsole rw,`
			`/etc/syslog-ng/* r,`
- various patches and cleanups from kees@ubuntu.com 2008-06-11 20:19:36 +00:00			`@{PROC}/kmsg r,`
update profiles for bugs that have been reported by various users 2008-02-19 10:35:19 +00:00			`/etc/hosts.deny r,`
			`/etc/hosts.allow r,`
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00			`/sbin/syslog-ng mr,`
syslog-ng profile fixes/additions updated to match master by Christian Boltz <apparmor@cboltz.de> updated to work with systemd (/{,var/}run/ instead of /var/run) Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie With this change: Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-08-08 22:59:28 +02:00			`/usr/share/syslog-ng/** r,`
Bug 219583 - rejecting w access for syslog-ng 2006-11-13 09:40:29 +00:00			`# chrooted applications`
Various profile updates touching on bnc#255270, bnc#331444, bnc#307365 bnc#230700 2008-04-10 08:54:05 +00:00			`@{CHROOT_BASE}/var/lib/*/dev/log w,`
syslog-ng profile fixes/additions updated to match master by Christian Boltz <apparmor@cboltz.de> updated to work with systemd (/{,var/}run/ instead of /var/run) Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie With this change: Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-08-08 22:59:28 +02:00			`@{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,`
Various profile updates touching on bnc#255270, bnc#331444, bnc#307365 bnc#230700 2008-04-10 08:54:05 +00:00			`@{CHROOT_BASE}/var/log/** w,`
update for /var/run -> /run udev transition. For compatibility, distributions (eg Ubuntu) are providing a symlink from /var/run to /run, so our profiles should handle both situations. 2011-07-14 07:57:57 -05:00			`@{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,`
syslog-ng profile fixes/additions updated to match master by Christian Boltz <apparmor@cboltz.de> updated to work with systemd (/{,var/}run/ instead of /var/run) Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie With this change: Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-08-08 22:59:28 +02:00			`@{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,`
			`/{var,/}run/syslog-ng/additional-log-sockets.conf r,`
Fix rejects reported in Novell bnc#436849 2008-11-05 11:57:34 +00:00
start on 'local/' mechanism to aid in packaging: - add profiles/local/README - adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/ - adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace and svn conventions 2010-08-05 14:00:02 -05:00			`# Site-specific additions and overrides. See local/README for details.`
			`#include <local/sbin.syslog-ng>`
new profiles for clamav and syslog-ng; improvements to postfix's virtual component. Changes suggested by Christian Boltz, thanks 2006-11-05 08:39:33 +00:00			`}`