[apparmor] [patch] smbd profile + smbldap-useradd

Christian Boltz apparmor at cboltz.de
Wed Jan 4 19:54:26 UTC 2012


Hello,

Am Mittwoch, 4. Januar 2012 schrieb Kees Cook:
> On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
> > +  profile /etc/init.d/nscd {
> > +    #include <abstractions/base>
> > +    #include <abstractions/nameservice>
> > +
> > +    capability sys_ptrace,
> 
> I wonder why sys_ptrace keeps showing up in some of these profiles. Is
> this really needed?

Good question, I only know what the audit.log says ;-)

> > +    /proc/filesystems r,
> > +    /proc/meminfo r,
> 
> These are already in "base".

Good catch, I removed them from my pending patch.

OTOH, this brings up an interesting question - why did logprof add them 
to the profile? I probably first allowed them before adding 
abstractions/base, but logprof should have removed them again when I 
told it to use abstractions/base.

The only explanation I can imagine is that abstractions/base uses 
@{PROC} instead of /proc - could that be the reason?

If you want to test yourself, the audit.log is attached to 
https://bugzilla.novell.com/show_bug.cgi?id=738041


Regards,

Christian Boltz
-- 
>Firefox 5 was pushed to 11.4 updates yesterday... Did anyone notice? :)
I saw and installed it, but sadly everything just kept working.
This is really unfair! It denies me my constitutional rights on having a
good rant! :-P [> Marcus Meissner & Stefan Seyfried in opensuse-factory]




More information about the AppArmor mailing list