[apparmor] [patch] traceroute profile (apparmor-profiles-traceroute)

[Christian Boltz]

Hello,

Am Dienstag, 23. August 2011 schrieb Steve Beattie:
> On Sun, Aug 21, 2011 at 06:06:52PM +0200, Christian Boltz wrote:
> > another :-/ patch from openSUSE 11.4 that never made it to Factory.
> > 
> > Bug 685674 - The "-I" flag of traceroute is blocked by apparmor
> > 
> > * Do Apr 07 2011 jeffm at suse.de
> > - Add raw network access to traceroute profile (bnc#685674).
> 
> ACK from me as this is entirely sensible (it's exactly what
> capability net_raw is supposed to allow you to do).

Commited to r1801.

> Also, on Debian/Ubuntu, traceroute is covered by the alternatives,
> and ends up pointing to /usr/bin/traceroute.db; thus I'd like to
> add:

Is traceroute.db really in /usr/bin and not in /usr/sbin?

That doesn't sound like making much sense - either traceroute itsself 
should also be in /usr/bin (to make it "official" available for users) 
or traceroute.db should be in /usr/sbin (to "flag" it admin-only, and 
yes, I know that an user can call it by using the full path).

Having one in /usr/bin and the other in /usr/sbin is confusing.

> === modified file 'profiles/apparmor.d/usr.sbin.traceroute'
> --- profiles/apparmor.d/usr.sbin.traceroute	2010-08-05 19:00:02 
> +++ profiles/apparmor.d/usr.sbin.traceroute	2011-08-22 23:54:53 
> @@ -10,7 +10,7 @@
>  # ------------------------------------------------------------------
> 
>  #include <tunables/global>
> -/usr/sbin/traceroute {
> +/usr/{sbin/traceroute,bin/traceroute.db} {
>    #include <abstractions/base>
>    #include <abstractions/consoles>
>    #include <abstractions/nameservice>

You'll have to commit that yourself ;-)

I'm not against it, but I'd like to see the path confusion described 
above cleaned up.


Regards,

Christian Boltz
-- 
Ich habe nix gegen C. Ich kann überhaupt kein C, ich kann es, wenn
es sauber programmiert ist, halbwegs lesen. Vorrausgesetzt, der
Programmierer war nicht zu originell. [Ratti in suse-programming]