rsyslog/usr.sbin.rsyslogd

# ------------------------------------------------------------------
#
#    Copyright (C) 2014 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

/usr/sbin/rsyslogd {
  #include <abstractions/base>
  #include <abstractions/consoles>
  # general networking is allowed here
  #include <abstractions/nameservice>

  capability dac_override,
  capability sys_nice,
  capability sys_tty_config,
  capability syslog,
  deny capability block_suspend,

  /dev/tty* w,
  /dev/xconsole rw,

  /etc/rsyslog.conf r,
  /etc/rsyslog.d/ r,
  /etc/rsyslog.d/* r,

  /usr/lib{,32,64}/rsyslog/* mr,
  /usr/sbin/rsyslogd mr,

  /var/log/** rw,
  /var/lib/*/dev/log w,

  /proc/kmsg r,

  /{var/,}run/rsyslog/* r,
  /{var/,}run/rsyslogd.pid rwk,
  /{var/,}run/systemd/journal/syslog w,

  # include rules for rsyslog-module-* packages
  #include "/usr/share/apparmor/extra-profiles/rsyslog.d"
  
  # for logging via TLS (rsyslog-module-gtls)
  # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
  # rsyslog tries to write to the certificates for no reason, so deny this quietly
  deny /etc/rsyslog.d/* w,
}
Accepting request 241312 from home:jsegitz:rsyslog_apparmor - Preliminary AppArmor support. Since those profiles need to be tested properly they'll live in /etc/apparmor/profiles/extras. - Added rsyslog-pid-file.patch to fix a regression that causes the pid file to be created in /etc OBS-URL: https://build.opensuse.org/request/show/241312 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=194 2014-07-21 15:08:22 +02:00			`# ------------------------------------------------------------------`
			`#`
			`# Copyright (C) 2014 Novell/SUSE`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

			`#include <tunables/global>`

			`/usr/sbin/rsyslogd {`
			`#include <abstractions/base>`
			`#include <abstractions/consoles>`
			`# general networking is allowed here`
			`#include <abstractions/nameservice>`

			`capability dac_override,`
			`capability sys_nice,`
			`capability sys_tty_config,`
			`capability syslog,`
Accepting request 305427 from home:jsegitz:branches:Base:System - Adjusted apparmor profile based on the suggestions by Christian Boltz * Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls * Moved profiles to /usr/share/apparmor/extra-profiles/ * Blocked capability block_suspend plus some other small fixes OBS-URL: https://build.opensuse.org/request/show/305427 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=224 2015-05-07 22:28:26 +02:00			`deny capability block_suspend,`
Accepting request 241312 from home:jsegitz:rsyslog_apparmor - Preliminary AppArmor support. Since those profiles need to be tested properly they'll live in /etc/apparmor/profiles/extras. - Added rsyslog-pid-file.patch to fix a regression that causes the pid file to be created in /etc OBS-URL: https://build.opensuse.org/request/show/241312 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=194 2014-07-21 15:08:22 +02:00
			`/dev/tty* w,`
			`/dev/xconsole rw,`

			`/etc/rsyslog.conf r,`
			`/etc/rsyslog.d/ r,`
			`/etc/rsyslog.d/* r,`

			`/usr/lib{,32,64}/rsyslog/* mr,`
			`/usr/sbin/rsyslogd mr,`

			`/var/log/** rw,`
Accepting request 305427 from home:jsegitz:branches:Base:System - Adjusted apparmor profile based on the suggestions by Christian Boltz * Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls * Moved profiles to /usr/share/apparmor/extra-profiles/ * Blocked capability block_suspend plus some other small fixes OBS-URL: https://build.opensuse.org/request/show/305427 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=224 2015-05-07 22:28:26 +02:00			`/var/lib/*/dev/log w,`
Accepting request 241312 from home:jsegitz:rsyslog_apparmor - Preliminary AppArmor support. Since those profiles need to be tested properly they'll live in /etc/apparmor/profiles/extras. - Added rsyslog-pid-file.patch to fix a regression that causes the pid file to be created in /etc OBS-URL: https://build.opensuse.org/request/show/241312 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=194 2014-07-21 15:08:22 +02:00
			`/proc/kmsg r,`

			`/{var/,}run/rsyslog/* r,`
			`/{var/,}run/rsyslogd.pid rwk,`
			`/{var/,}run/systemd/journal/syslog w,`

			`# include rules for rsyslog-module-* packages`
Accepting request 578004 from home:tsaupe:branches:Base:System:rsyslog fix includes for apparmor profile (bsc#1080238) OBS-URL: https://build.opensuse.org/request/show/578004 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=286 2018-02-21 17:03:58 +01:00			`#include "/usr/share/apparmor/extra-profiles/rsyslog.d"`
Accepting request 305427 from home:jsegitz:branches:Base:System - Adjusted apparmor profile based on the suggestions by Christian Boltz * Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls * Moved profiles to /usr/share/apparmor/extra-profiles/ * Blocked capability block_suspend plus some other small fixes OBS-URL: https://build.opensuse.org/request/show/305427 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=224 2015-05-07 22:28:26 +02:00
			`# for logging via TLS (rsyslog-module-gtls)`
			`# keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here`
			`# rsyslog tries to write to the certificates for no reason, so deny this quietly`
			`deny /etc/rsyslog.d/* w,`
Accepting request 241312 from home:jsegitz:rsyslog_apparmor - Preliminary AppArmor support. Since those profiles need to be tested properly they'll live in /etc/apparmor/profiles/extras. - Added rsyslog-pid-file.patch to fix a regression that causes the pid file to be created in /etc OBS-URL: https://build.opensuse.org/request/show/241312 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=194 2014-07-21 15:08:22 +02:00			`}`