[apparmor] dhclient profile

"Артём Н." artiom14 at yandex.ru
Wed Jan 1 06:46:10 UTC 2014


My dhclient profile didn't work on Debian 7.
Updated profile is attached.
-------------- next part --------------
# Last Modified: Tue Dec 31 22:34:57 2013
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Note that this profile doesn't include any NetDomain rules; dhclient uses
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
# /bin/ps                     mrix,
# /sbin/arp                   mrix,
# /usr/bin/dig                mrix,
# /usr/bin/uptime             mrix,
# /usr/bin/vmstat             mrix,
# /usr/bin/w                  mrix,

#include <tunables/global>

/sbin/dhclient {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>


  capability dac_override,
  capability net_raw,

  network packet dgram,
  network packet packet,
  network packet raw,


  /bin/* mrix,
  /dev/random r,
  /etc/dhclient.conf r,
  /etc/dhcp*/** mrk,
  /etc/samba*/** mrwk,
  /etc/sysconfig/network/dhcp r,
  /etc/sysconfig/network/scripts/functions r,
  /etc/sysconfig/network/scripts/functions.common r,
  /sbin/arp mrix,
  /sbin/dhclient mrix,
  /sbin/dhclient-script mrpix,
  /sbin/ip mrix,
  /usr/bin/dig mrix,
  /usr/bin/uptime mrix,
  /usr/bin/vmstat mrix,
  /usr/bin/w mrix,
  /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
  /usr/sbin/invoke-rc.d rix,
  /var/lib/dhcp/* rw,
  /var/lib/dhcp/dhclient-*.leases rw,
  /var/lib/dhcp/dhclient.leases rw,
  /var/log/lastlog r,
  /var/log/messages r,
  /var/log/wtmp r,
  /var/spool r,
  /var/spool/mail r,
  # May be dhclient6-...
  /{,var/}run/dhclient*.pid rw,
  /{,var/}run/nm-dhclient-*.conf r,
  @{PROC}/ r,
  owner @{PROC}/*/net/dev r,
  owner @{PROC}/[0-9]*/** r,
  @{PROC}/interrupts r,
  @{PROC}/rtc r,
  @{PROC}/self/status r,

  # For the invoke-rc.d.
  /etc/init.d/*      rix,
  /bin/basename      mrix,
  /usr/bin/basename  mrix,
  /sbin/runlevel     mrix,
}


More information about the AppArmor mailing list