Does nginx really need dac_override in its AppArmor policy?

Solution 1:

The default file permissions for nginx logs in Ubuntu are rw-r-----. These files are owned by www-admin:adm.

nginx starts under user root, which has CAP_DAC_OVERRIDE capability by default (remember that root can read and write to any file in the system) but once AppArmor confinement kicks in, the process loses that capability even though it runs as root, so the master nginx process cannot open the log files.

The solution is either changing the permissions so that root can also write to these files, or adding the dac_override capability to the AppArmor nginx profile.

Solution 2:

Further to your own answer above, you could perhaps mitigate the issue of perceived excessively wide access by using a "restricted dac_override" policy:

capability dac_override {
    /var/log/nginx* rw,
}

According to the docs, it should also be noted that even an unrestricted dac_override policy doesn't provide an unrestricted access across the entire filesystem such that a regular, unconfined, root process would enjoy:

"... to be able to access file that is not owned by someone else the task must have the dac_overide capability and the profile must contain both a file access rule and capability dac_override."