[apparmor] [Patch] cleanup usr.sbin.ntpd profile
Christian Boltz
apparmor at cboltz.de
Mon Sep 30 15:47:53 UTC 2013
Hello,
this patch removes some rules from the ntpd profile that are already
covered by abstractions:
- the network rules are in abstractions/nameservice
- /etc/gai.conf is also in abstractions/nameservice
- @{PROC}/sys/kernel/ngroups_max is in abstractions/base
I found those superfluous rules with aa-cleanup :-) but merged the
changes manually to keep comments and rule sorting.
@Kshitij: it would be nice if aa-cleanup would have an option to only
delete superfluous rules _without_ removing comments and sorting the
remaining rules ;-)
=== modified file 'profiles/apparmor.d/usr.sbin.ntpd'
--- profiles/apparmor.d/usr.sbin.ntpd 2013-09-16 22:23:32 +0000
+++ profiles/apparmor.d/usr.sbin.ntpd 2013-09-30 15:36:51 +0000
@@ -27,10 +27,6 @@
capability sys_time,
capability sys_nice,
- network inet dgram,
- network inet stream,
- network inet6 stream,
-
/drift/ntp.drift rwl,
/drift/ntp.drift.TEMP rwl,
/etc/ntp.conf r,
@@ -39,7 +35,6 @@
/etc/ntp/step-tickers r,
/etc/ntpd.conf r,
/etc/ntpd.conf.tmp r,
- /etc/gai.conf r,
/tmp/ntp* rwl,
/usr/sbin/ntpd rmix,
@@ -60,7 +55,6 @@
/{,var/}run/ntpd.pid w,
/var/tmp/ntp* rwl,
@{PROC}/@{pid}/net/if_inet6 r,
- @{PROC}/sys/kernel/ngroups_max r,
# allow access for when chrooted
/var/lib/ntp/@{PROC}/@{pid}/net/if_inet6 r,
Regards,
Christian Boltz
--
[GUI vs. Command-Line] Einen ähnlichen Streit wird es in 20 Jahren
auch geben, wenn die "2D-Screenfanatiker" auf die "VR Fans" losgehen
und wieder ein Streit vom Zaun bricht der an Sinnfreiheit kaum zu
überbieten ist. [Phillip Richdale in suse-linux]
More information about the AppArmor
mailing list