# Last Modified: Sun Sep 25 08:58:35 2011
#include <tunables/global>
# Debugging the syslogger can be difficult if it can't write to the file
# that the kernel is logging denials to. In these cases, you can do the
# following:
# watch -n 1 'dmesg | tail -5'
profile rsyslogd /usr/sbin/rsyslogd {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_tty_config,
capability dac_override,
capability dac_read_search,
capability setuid,
capability setgid,
capability sys_nice,
capability syslog,
unix (receive) type=dgram,
unix (receive) type=stream,
# rsyslog configuration
/etc/rsyslog.conf r,
/etc/rsyslog.d/ r,
/etc/rsyslog.d/** r,
/{,var/}run/rsyslogd.pid{,.tmp} rwk,
/var/spool/rsyslog/ r,
/var/spool/rsyslog/** rwk,
/usr/sbin/rsyslogd mr,
/usr/lib{,32,64}/{,@{multiarch}/}rsyslog/*.so mr,
/dev/tty* rw,
/dev/xconsole rw,
@{PROC}/kmsg r,
# allow access to console (LP: #2009230)
/dev/console rw,
/dev/log rwl,
/{,var/}run/utmp rk,
/var/lib/*/dev/log rwl,
/var/spool/postfix/dev/log rwl,
/{,var/}run/systemd/notify w,
# 'r' is needed when using imfile
/var/log/** rw,
# apparmor snippets for rsyslog from other packages
include if exists <rsyslog.d>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.rsyslogd>
}
Mini Shell