[apparmor] openSUSE profile patches - part 2

[Christian Boltz]

Hello,

@Jeff: can you please comment on the sshd profile?

Am Montag, 8. August 2011 schrieb Steve Beattie:
> On Sat, Aug 06, 2011 at 02:30:52PM +0200, Christian Boltz wrote:

> >  profiles/apparmor/profiles/extras/usr.sbin.cupsd |   25

> Acked-By: Steve Beattie <sbeattie at ubuntu.com>, though see below.

> (The cupsd profile that Ubuntu ships sadly has significantly deviated
> from the extras starting point. Ubuntu carries it within its cups
> package, not in its apparmor packages.)

That sounds like lots of fun for the cups maintainer *eg*

> > --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
> > +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd

> > +  /var/run/cups/** rw,
> 
> The above likely needs to be:
> 
>   /{,var/}run/cups/ rw,
>   /{,var/}run/cups/** rw,

Commited to master (with these changes).


> > From: Jeff Mahoney <jeffm at suse.com>
> > Subject: profiles: update dhclient
> > References: bnc#561152
> > 
> > Signed-off-by: Jeff Mahoney <jeffm at suse.com>
> 
> Acked-By: Steve Beattie <sbeattie at ubuntu.com>

Commited to master.


> >  profiles/apparmor.d/sbin.syslog-ng 

> > +  @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
> 
> Again, s|var/|{,var/}| is probably needed. Otherwise, ACK.

Commited to master (with /{,var/}run/)



> > From: Jeff Mahoney <jeffm at suse.com>
> > Subject: Fix for sshd profile
> > References: bnc#457072
> > 
> >  Without this patch, sshd won't work in enforce mode.
> >  
> >  libselinux accesses /proc/filesystems to determine if it's enabled
> >  bash won't execute
> >  audit_control is probably from libselinux too
> > 
> > ---
> > 
> >  profiles/apparmor/profiles/extras/usr.sbin.sshd |    5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
> > +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd

> > +  capability audit_control,
> 
> I really, really dislike allowing audit_control. Basically, a
> confined process with it can turn off audit logging by auditd/the
> audit subsystem or manipulate it in such away as to hide audit
> events. Does sshd really fail to start if audit_control is
> disallowed? I'd honestly rather see a deny rule here.

Jeff?

> > +  capability sys_ptrace,

> > +  @{PROC}/filesystems r,
> > 
> >  # should only be here for use in non-change-hat openssh
> >  # duplicated from EXEC hat
> >  
> >    /bin/ash Ux,
> > 
> > -  /bin/bash Ux,
> > +  /bin/bash rUx,
> 
> I suspect the other shells need 'r' access as well.

Looks like nobody uses anything else than bash as login shell ;-)
But yes, you are probably right.

> >    /bin/bash2 Ux,
> >    /bin/bsh Ux,
> >    /bin/csh Ux,






> > From: Jeff Mahoney <jeffm at suse.com>
> > Subject: dnsmasq: Profile fixes
> > References: bnc#666090 bnc#678749

> > +  /var/lib/libvirt/dnsmasq/            r,
> > +  /var/lib/libvirt/dnsmasq/*.hostsfile r,
> 
> I think this is okay, but I'm not that knowledgeable about the
> interaction between dnsmasq and libvirt.

The directory name looks good and valid ;-)

Commited to master (with /{,var/}run/)

With this commit, 7 of 10 openSUSE profile patches are in master :-)


Regards,

Christian Boltz
-- 
Man taucht nicht auf einer Mailingliste auf, schreibt technisch grotten-
kaputte Mails. Und wenn einem das versehentlich passiert und man sich
dafür einen berechtigten Anschiss abholt, stellt man sich nicht noch auf
die Apfelsinenkiste und hält Plädoyers über Humor und freie Meinungs-
äußerung - dann schraubt man an seinen knatternden Mailclient gefälligst
den Auspuff wieder an und ist lieb. [Ratti in suse-linux]