[apparmor] [patch] winbindd profile update
Christian Boltz
apparmor at cboltz.de
Mon Apr 21 20:09:58 UTC 2014
Hello,
Am Montag, 21. April 2014 schrieb Steve Beattie:
> On Fri, Apr 18, 2014 at 04:17:41PM +0200, Christian Boltz wrote:
> > this patch updates the usr.sbin.winbindd profile
> > - allow rw access to /var/cache/krb5rcache/
> > - treat passdb.tdb.tmp as passdb.tdb
> >
> > Patch from Lars Müller <lmuelle at suse.com>
> >
> > References: https://bugzilla.novell.com/show_bug.cgi?id=870607
>
> Acked-by: Steve Beattie <steve at nxnw.org>
> Though one wonders if
>
> > + /var/cache/krb5rcache/* rw,
>
> should be in a 'krb5-services' abstraction or somesuch, for other
> kerberized services?
Have a look at https://bugzilla.novell.com/show_bug.cgi?id=870607 -
starting at comment #6.
TL;DR summary: the default seems to be /var/tmp/* - and Lars changed it
to the more restricted /var/cache/krb5rcache/ (via an env var) after I
complained that /var/tmp/* makes the profile insecure.
[You might want to pass that hint to the Ubuntu samba maintainer ;-) ]
So: no, it doesn't make sense to move this into an abstraction IMHO
(at least until all kerberized services agree on using a directory that
is not /var/tmp/ ;-)
Regards,
Christian Boltz
--
Ich hasse Kabel, denn sie haben zwei Enden und meist sitzt an jedem
Ende ein Anderer, der schuld ist. [Thomas Arend in suse-linux]
More information about the AppArmor
mailing list