[apparmor] [patch] wutmp cleanups
Christian Boltz
apparmor at cboltz.de
Thu Aug 18 10:26:23 UTC 2011
Hello,
Am Mittwoch, 17. August 2011 schrieb Steve Beattie:
> On Tue, Aug 16, 2011 at 01:07:37PM +0200, Christian Boltz wrote:
> > a) obvious changes
> >
> > ./apparmor.d/usr.lib.dovecot.dovecot-auth: #include
> > <abstractions/wutmp> ./apparmor.d/usr.lib.dovecot.dovecot-auth:
> > /{,var/}run/utmp k,
> >
> > k permission can be removed from dovecot-auth since it's in the
> > wutmp abstraction now
>
> Agreed, patch attached.
ACK.
> > b) rw usage of at least one of the files listed in
> > abstractions/wutmp
> >
> > Note that switching to abstractions/wutmp will add some permissions
> > to those profiles (the abstraction contains 3 files, the profiles
> > listed below only one or two of them).
> >
> > ./apparmor/profiles/extras/usr.sbin.useradd: /var/log/lastlog rw,
> > ./apparmor/profiles/extras/usr.sbin.useradd: /{,var/}run/utmp rw,
> >
> > ./apparmor/profiles/extras/usr.sbin.userdel: /var/log/lastlog rw,
> > ./apparmor/profiles/extras/usr.sbin.userdel: /{,var/}run/utmp rw,
>
> With two out of the three, I think we're not expanding the privileges
> too grossly here.
;-)
> Patch attached.
ACK.
> For the rest, my inclination is that the wutmp abstraction expands
> privilege more widely than I'd like, particularly for the read-only
> accessors of the various files. But obviously it's open for
> discussion.
I agree with that, no need to discuss it ;-)
Regards,
Christian Boltz
--
>That release went far too smooth after we had everything together ;-)
That on it's own should have set off the alarm bells :-)
[> Andreas Jaeger and David Bolt in opensuse-factory]
More information about the AppArmor
mailing list