On Fri, Jan 06, 2012 at 01:30:07AM +0100, Christian Boltz wrote: > Peter didn't mention details on the mailinglist. It _seems_ to be caused > by a new syslog-ng version. Some searching brought up > https://bugzilla.novell.com/show_bug.cgi?id=731876 (search for > "capability" there). > > Some quotes from the bugreport: > ----------------------------------------------------------------------- > Error managing capability set, cap_set_proc returned an error; caps='= > cap_syslog+ep > cap_chown,cap_dac_override,cap_fowner,cap_net_bind_service+p > cap_dac_read_search+e', error='Operation not permitted (1)' > ----------------------------------------------------------------------- > There was also a capability related message: it's coming from AppArmor. > It's ugly, but still works fine. I try to investigate this, but > audit.log does not show anything... > -----------------------------------------------------------------------
Ah, this is an interesting interaction between cap_set_proc(3) and apparmor's capabilities, where syslog-ng is trying to set its effective set of capabilities to include those outside of what is permitted in the profile. It might be useful if apparmor logged attempts to do this. Anyway, I think the original patch to add cap_dac_search to the syslog-ng profile is okay, so an ack from me. It would be kind of nice to know why syslog-ng needs to access files and directories that it doesn't have DAC permissions for. -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
