[apparmor] IPv6 support in various profiles

[Christian Boltz]

Hello,

should we check all profiles if they need inet6 added?

(Note that I don't have an IPv6 setup here, so I can't test it.)


A quick grep shows the following candidates:

a) profiles/apparmor.d/

> bin.ping:  network inet raw,

Does /bin/ping also work for ipv6 or is that the job of the separate 
/bin/ping6 binary? ping6 doesn't have a profile yet - maybe we could 
solve it by changing the profile name to   /bin/ping{,6}   ?

> sbin.klogd:  network inet stream,

Does klogd support IPv6?

> usr.lib.dovecot.managesieve-login:  network inet stream,

Same question here ;-)  - usr.lib.dovecot.imap-login has IPv6 support 
(see separate mail with patch some minutes ago), so chances are good.

> usr.sbin.dnsmasq:  network inet raw,

... and here

> usr.sbin.nscd:  network inet dgram,
> usr.sbin.nscd:  network inet stream,

... and here

> usr.sbin.ntpd:  network inet dgram,
> usr.sbin.ntpd:  network inet stream,
> usr.sbin.ntpd:  network inet6 stream,

... and here - but only for inet6 dgram. Note that inet{,6} stream is 
already allowed.


b) profiles/apparmor/profiles/extras/

> usr.sbin.dhcpd:  network inet raw,

Does dhcpd also handle IPv6 or is there a separate version?


Fortunately most profiles get network access via abstractions, which 
already include support for IPv4 and IPv6.



Regards,

Christian Boltz
-- 
Aber genauso können mir ja auch die Grünen leid tuen.
Da bin ich doch lieber blau ...
[Konrad Neitzel in suse-linux]