[apparmor] openSUSE profile patches - part 2

Seth Arnold seth.arnold at gmail.com
Mon Aug 8 20:38:25 UTC 2011


Please forgive rubbish BlackBerry quoting:

--snip--
> +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
> @@ -29,6 +29,8 @@
>    capability kill,
>    capability setgid,
>    capability setuid,
> +  capability audit_control,

I really, really dislike allowing audit_control. Basically, a confined
process with it can turn off audit logging by auditd/the audit
subsystem or manipulate it in such away as to hide audit events. Does
sshd really fail to start if audit_control is disallowed? I'd honestly
rather see a deny rule here.

--snip--

It might come from a PAM audit module -- and last time I tried to rebuild the Ubuntu packages to include audit support I got annoyed and wished for an rpm-spec-file style patch management :) anyway, if you can shoot me a suggestion how to rebuild the pam package with audit bits I'd happily investigate this :)



More information about the AppArmor mailing list