On 01/06/2012 04:09 PM, Steve Beattie wrote: > On Fri, Jan 06, 2012 at 01:30:07AM +0100, Christian Boltz wrote: >> Peter didn't mention details on the mailinglist. It _seems_ to be caused >> by a new syslog-ng version. Some searching brought up >> https://bugzilla.novell.com/show_bug.cgi?id=731876 (search for >> "capability" there). >> >> Some quotes from the bugreport: >> ----------------------------------------------------------------------- >> Error managing capability set, cap_set_proc returned an error; caps='= >> cap_syslog+ep >> cap_chown,cap_dac_override,cap_fowner,cap_net_bind_service+p >> cap_dac_read_search+e', error='Operation not permitted (1)' >> ----------------------------------------------------------------------- >> There was also a capability related message: it's coming from AppArmor. >> It's ugly, but still works fine. I try to investigate this, but >> audit.log does not show anything... >> ----------------------------------------------------------------------- > > Ah, this is an interesting interaction between cap_set_proc(3) and > apparmor's capabilities, where syslog-ng is trying to set its effective > set of capabilities to include those outside of what is permitted in > the profile. It might be useful if apparmor logged attempts to do this. > hrmmm, well there was a bug wrt this and it was patched so newer kernels should log unknown caps in complain mode.
> Anyway, I think the original patch to add cap_dac_search to the > syslog-ng profile is okay, so an ack from me. It would be kind of nice > to know why syslog-ng needs to access files and directories that it > doesn't have DAC permissions for. > > > > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
