http://bugzilla.opensuse.org/show_bug.cgi?id=1076247 http://bugzilla.opensuse.org/show_bug.cgi?id=1076247#c5 --- Comment #5 from Achim Gratz <Stromeko@NexGo.DE> --- (In reply to Christian Boltz from comment #4)
If you want to simplify the rules you might use a glob there and require that everything is owned by ntp/ntp, that should have the same effect.
That would mean to prefix those rules with the owner keyword:
owner /var/log/ntpstats/clockstats* lrw, owner /var/log/ntpstats/loopstats* lrw, owner /var/log/ntpstats/peerstats* lrw,
Can you please test if ntpd still works with the owner keyword added?
type=AVC msg=audit(1516818577.469:120): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/ntpd" pid=4485 comm="apparmor_parser" So it seems to work. However, I thought to simplify those rules along the lines of owner /var/log/ntpstats/*stats* lrw, or even owner /var/log/ntpstats/* lrw, (if the number of rules is the objective here). The directory already is "drwxr-xr-x 1 ntp ntp", so I don't think there'd be an appreciable loss in security with that slightly widened rule. -- You are receiving this mail because: You are on the CC list for the bug.