[apparmor] openSUSE profile patches - part 2
Christian Boltz
apparmor at cboltz.de
Sat Aug 6 12:30:52 UTC 2011
Hello,
next bunch of the profile patches in the openSUSE apparmor package ;-)
==> apparmor-profiles-cupsd-fix <==
Various profile fixes/additions
==> apparmor-profiles-dhclient <==
From: Jeff Mahoney <jeffm at suse.com>
Subject: profiles: update dhclient
References: bnc#561152
Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Includes the new profile
profiles/apparmor/profiles/extras/sbin.dhclient-script
==> apparmor-profiles-sshd-fix <==
From: Jeff Mahoney <jeffm at suse.com>
Subject: Fix for sshd profile
References: bnc#457072
Without this patch, sshd won't work in enforce mode.
libselinux accesses /proc/filesystems to determine if it's enabled
bash won't execute
audit_control is probably from libselinux too
==> apparmor-profiles-syslog-ng-fix <==
profile fixes/additions
updated to match master by
Christian Boltz <apparmor at cboltz.de>
==> apparmor-profiles-usr.sbin.dnsmasq <==
From: Jeff Mahoney <jeffm at suse.com>
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Updated to match master by
Christian Boltz <apparmor at cboltz.de>
Regards,
Christian Boltz
--
Wer eine Personal Firewall verwendet, könnte auch eine Einkaufstüte
als Kondom benutzen: Den Sicherheits- und Lustgewinn beider Methoden
halten wir für vergleichbar. ;-)
[T-Online-Team in t-online.talk.internet]
-------------- next part --------------
Various profile fixes/additions
---
profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@@ -16,20 +16,31 @@
capability setuid,
/bin/bash ixr,
+ /bin/cat ix,
+
+ /usr/bin/foomatic-rip ixr,
+ /etc/foomatic/** r,
+
+ /usr/bin/gs ix,
+ /usr/lib/ghostscript/** m,
+ /usr/lib64/ghostscript/** m,
+ /usr/share/ghostscript/** r,
+ /etc/ghostscript/** r,
+
/dev/lp0 rw,
/dev/tty rw,
/dev/ttyS? w,
/etc/cups rw,
/etc/cups/ r,
- /etc/cups/* r,
+ /etc/cups/** r,
/etc/cups/certs w,
/etc/cups/certs/* w,
- /etc/cups/classes.conf rw,
- /etc/cups/cupsd.conf rw,
+ /etc/cups/*.conf* rw,
/etc/cups/ppd rw,
+ /etc/printcap rw,
/etc/cups/printcap rw,
- /etc/cups/printers.conf rw,
/etc/cups/ssl rw,
+ /etc/cups/yes/* rw,
/etc/hosts.allow r,
/etc/hosts.deny r,
/proc/meminfo r,
@@ -39,11 +50,15 @@
/usr/bin/smbspool ixr,
/usr/lib/cups/backend/* ixr,
/usr/lib/cups/filter/* ixr,
- /usr/sbin/cupsd mr,
+ /usr/sbin/cupsd mixr,
/usr/share/cups/** r,
/var/log/cups/access_log rw,
/var/log/cups/error_log rw,
/var/spool/cups rw,
+ /var/spool/cups/** rw,
/var/spool/cups/tmp w,
/var/spool/cups/tmp/ r,
+ /var/run/cups/** rw,
+ /var/cache/cups/ rw,
+ /var/cache/cups/** rw,
}
-------------- next part --------------
From: Jeff Mahoney <jeffm at suse.com>
Subject: profiles: update dhclient
References: bnc#561152
Signed-off-by: Jeff Mahoney <jeffm at suse.com>
---
profiles/apparmor/profiles/extras/sbin.dhclient | 61 +++++++++++------
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
2 files changed, 61 insertions(+), 21 deletions(-)
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -11,12 +11,12 @@
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
-# /bin/ps mixr,
-# /sbin/arp rmix,
-# /usr/bin/dig rmix,
-# /usr/bin/uptime rmix,
-# /usr/bin/vmstat rmix,
-# /usr/bin/w rmix,
+# /bin/ps mrix,
+# /sbin/arp mrix,
+# /usr/bin/dig mrix,
+# /usr/bin/uptime mrix,
+# /usr/bin/vmstat mrix,
+# /usr/bin/w mrix,
#include <tunables/global>
@@ -24,25 +24,30 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
- /sbin/dhclient rmix,
- /sbin/dhclient-script rmix,
- /bin/bash rmix,
- /bin/df rmix,
+
+ network packet packet,
+ network packet raw,
+
+ /sbin/dhclient mrix,
+
+ /sbin/dhclient-script mrix,
+ /bin/bash mrix,
+ /bin/df mrix,
/bin/netstat Px,
- /bin/ps mixr,
+ /bin/ps mrix,
/dev/random r,
/etc/dhclient.conf r,
- @{PROC}/ r,
- @{PROC}/interrupts r,
- @{PROC}/net/dev r,
- @{PROC}/rtc r,
+ @{PROC}/ r,
+ @{PROC}/interrupts r,
+ @{PROC}/*/net/dev r,
+ @{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
- @{PROC}/self/status r,
- /sbin/arp rmix,
- /usr/bin/dig rmix,
- /usr/bin/uptime rmix,
- /usr/bin/vmstat rmix,
- /usr/bin/w rmix,
+ @{PROC}/self/status r,
+ /sbin/arp mrix,
+ /usr/bin/dig mrix,
+ /usr/bin/uptime mrix,
+ /usr/bin/vmstat mrix,
+ /usr/bin/w mrix,
/var/lib/dhcp/dhclient.leases rw,
/var/lib/dhcp/dhclient-*.leases rw,
/var/log/lastlog r,
@@ -52,4 +57,18 @@
/var/run/dhclient-*.pid rw,
/var/spool r,
/var/spool/mail r,
+
+ # This one will need to be fleshed out depending on what the user is doing
+ /sbin/dhclient-script mrpx,
+
+ /bin/grep mrix,
+ /bin/sleep mrix,
+ /etc/sysconfig/network/dhcp r,
+ /etc/sysconfig/network/scripts/functions.common r,
+ /etc/sysconfig/network/scripts/functions r,
+ /sbin/ip mrix,
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
+ /var/lib/dhcp/* rw,
+ /var/run/nm-dhclient-*.conf r,
+
}
--- /dev/null
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
@@ -0,0 +1,21 @@
+# Last Modified: Tue Jan 25 16:48:30 2011
+#include <tunables/global>
+
+# dhclient-script will call plugins from /etc/netconfig.d, so this
+# will need to be extended on a per-site basis.
+
+/sbin/dhclient-script {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+
+ /bin/bash rix,
+ /bin/grep rix,
+ /bin/sleep rix,
+ /bin/touch rix,
+ /dev/.sysconfig/network/** r,
+ /etc/netconfig.d/* mrix,
+ /etc/sysconfig/network/** r,
+ /sbin/dhclient-script r,
+ /sbin/ip rix,
+}
-------------- next part --------------
profile fixes/additions
updated to match master by
Christian Boltz <apparmor at cboltz.de>
---
profiles/apparmor.d/sbin.syslog-ng | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@@ -19,12 +19,14 @@
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
+ #include <abstractions/mysql>
capability chown,
capability dac_override,
capability fsetid,
capability fowner,
capability sys_tty_config,
+ capability sys_resource,
/dev/log w,
/dev/syslog w,
@@ -35,11 +37,14 @@
/etc/hosts.deny r,
/etc/hosts.allow r,
/sbin/syslog-ng mr,
+ /usr/share/syslog-ng/** r,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
+ /var/run/syslog-ng/additional-log-sockets.conf r,
# Site-specific additions and overrides. See local/README for details.
#include <local/sbin.syslog-ng>
-------------- next part --------------
From: Jeff Mahoney <jeffm at suse.com>
Subject: Fix for sshd profile
References: bnc#457072
Without this patch, sshd won't work in enforce mode.
libselinux accesses /proc/filesystems to determine if it's enabled
bash won't execute
audit_control is probably from libselinux too
---
profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -29,6 +29,8 @@
capability kill,
capability setgid,
capability setuid,
+ capability audit_control,
+ capability sys_ptrace,
/dev/ptmx rw,
/dev/urandom r,
@@ -43,11 +45,12 @@
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
+ @{PROC}/filesystems r,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
/bin/ash Ux,
- /bin/bash Ux,
+ /bin/bash rUx,
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,
-------------- next part --------------
From: Jeff Mahoney <jeffm at suse.com>
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Updated to match master by
Christian Boltz <apparmor at cboltz.de>
---
profiles/apparmor.d/usr.sbin.dnsmasq | 4 ++++
1 file changed, 4 insertions(+)
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -25,10 +25,12 @@
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
+ /etc/ethers r,
/usr/sbin/dnsmasq mr,
/{,var/}run/*dnsmasq*.pid w,
+ /var/run/dnsmasq-forwarders r,
/{,var/}run/dnsmasq/ r,
/{,var/}run/dnsmasq/* rw,
@@ -40,6 +42,8 @@
# libvirt pid files for dnsmasq
/{,var/}run/libvirt/network/ r,
/{,var/}run/libvirt/network/*.pid rw,
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/*.hostsfile r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.dnsmasq>
More information about the AppArmor
mailing list