[apparmor] [patch] smbd profile + smbldap-useradd
Christian Boltz
apparmor at cboltz.de
Wed Jan 4 19:54:26 UTC 2012
Hello,
Am Mittwoch, 4. Januar 2012 schrieb Kees Cook:
> On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
> > + profile /etc/init.d/nscd {
> > + #include <abstractions/base>
> > + #include <abstractions/nameservice>
> > +
> > + capability sys_ptrace,
>
> I wonder why sys_ptrace keeps showing up in some of these profiles. Is
> this really needed?
Good question, I only know what the audit.log says ;-)
> > + /proc/filesystems r,
> > + /proc/meminfo r,
>
> These are already in "base".
Good catch, I removed them from my pending patch.
OTOH, this brings up an interesting question - why did logprof add them
to the profile? I probably first allowed them before adding
abstractions/base, but logprof should have removed them again when I
told it to use abstractions/base.
The only explanation I can imagine is that abstractions/base uses
@{PROC} instead of /proc - could that be the reason?
If you want to test yourself, the audit.log is attached to
https://bugzilla.novell.com/show_bug.cgi?id=738041
Regards,
Christian Boltz
--
>Firefox 5 was pushed to 11.4 updates yesterday... Did anyone notice? :)
I saw and installed it, but sadly everything just kept working.
This is really unfair! It denies me my constitutional rights on having a
good rant! :-P [> Marcus Meissner & Stefan Seyfried in opensuse-factory]
More information about the AppArmor
mailing list