sys_nice, capability syslog,
# rsyslog configuration /etc/rsyslog.conf r, /etc/rsyslog.d/ r,
/etc/rsyslog.d/** r, /{,var/}run/rsyslogd.pid rwk,
/var/spool/rsyslog/ r, /var/spool/rsyslog/** rwk,
/usr/lib{,32,64}/rsyslog/*.so mr,
/dev/tty* rw, /dev/xconsole
rw, @{PROC} /kmsg r,
/dev/log wl, /var/lib/*/dev/log
wl, /var/spool/postfix/dev/log wl,
# 'r' is needed when using imfile /var/log/**
rw,
# Add these for mysql support #/etc/mysql/my.cnf r,
#/{,var/}run/mysqld/mysqld.sock rw,
# Add these for postgresql support ##include
<abstractions/openssl> ##include <abstractions/ssl_certs>
#/{,var/}run/postgresql/.s.PGSQL.*[0-9] rw,
# Site-specific additions and overrides. See local/README for
details. #include <local/usr.sbin.rsyslogd>}Even without knowing the syntax, you can see from this file that profiles are
simple text files that support the use of comments, that absolute paths and
globbing (pattern matching for filenames) are supported, that specific
capabilities are allowed or disallowed, and what locations and programs in the
filesystem may be accessed or used.
Each access rule specifies specific permissions from this list:
Click here to view code image
r - read
w - write
ux - unconstrained execute
Ux - unconstrained execute - scrub the environment
px - discrete profile execute
Px - discrete profile execute - scrub the environment
ix - inherit execute
m - allow PROT_EXEC with mmap(2) calls
l - link
These permissions are listed at the ends of lines.
genprof is a program that helps you generate or update a profile. You
supply the name of the executable (or the path, if it is not already in the path)
and may optionally supply the path to the profiles, as well. The following is
an example:
Click here to view code image
matthew@seymour~:$ sudo genprof google-chrome
You will be asked to start the program and use it for a bit. After it is complete,
you are given an opportunity to choose whether access to each function