[apparmor] dhclient profile

"Артём Н." artiom14 at yandex.ru
Wed Jan 1 07:08:41 UTC 2014 

UPD.
-------------- next part --------------
# Last Modified: Tue Dec 31 22:34:57 2013
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Note that this profile doesn't include any NetDomain rules; dhclient uses
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
# /bin/ps                     mrix,
# /sbin/arp                   mrix,
# /usr/bin/dig                mrix,
# /usr/bin/uptime             mrix,
# /usr/bin/vmstat             mrix,
# /usr/bin/w                  mrix,

#include <tunables/global>

/sbin/dhclient {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>


  capability dac_override,
  capability net_raw,

  network packet dgram,
  network packet packet,
  network packet raw,


  /bin/* mrix,
  /dev/random r,
  /etc/dhclient.conf r,
  /etc/resolv.conf*  rw,
  /etc/dhcp*/** mrk,
  /etc/samba*/** mrwk,
  /etc/sysconfig/network/dhcp r,
  /etc/sysconfig/network/scripts/functions r,
  /etc/sysconfig/network/scripts/functions.common r,
  /sbin/arp mrix,
  /sbin/dhclient mrix,
  /sbin/dhclient-script mrpix,
  /sbin/ip mrix,
  /usr/bin/dig mrix,
  /usr/bin/uptime mrix,
  /usr/bin/vmstat mrix,
  /usr/bin/w mrix,
  /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
  /usr/sbin/invoke-rc.d rcx -> invoke_rc_d,
  /var/lib/dhcp/* rw,
  /var/lib/dhcp/dhclient-*.leases rw,
  /var/lib/dhcp/dhclient.leases rw,
  /var/log/lastlog r,
  /var/log/messages r,
  /var/log/wtmp r,
  /var/spool r,
  /var/spool/mail r,
  # May be dhclient6-...
  /{,var/}run/dhclient*.pid rwk,
  /{,var/}run/nm-dhclient-*.conf rk,
  @{PROC}/ r,
  owner @{PROC}/*/net/dev r,
  owner @{PROC}/[0-9]*/** r,
  @{PROC}/interrupts r,
  @{PROC}/rtc r,
  @{PROC}/self/status r,

  # Samba?
  /etc/default/samba r,

  profile invoke_rc_d {
    #include <abstractions/base>
    #include <abstractions/bash>

    /usr/sbin/invoke-rc.d r,
    /etc/init.d/          r,
    /etc/init.d/*         rUx,
    /etc/rc*.d**          r,
    /etc/rc*.d/*          rUx,
    /{,usr/}bin/basename  mrix,
    /bin/echo             mrix,
    /bin/which            mrix,
    /bin/sed              mrix,
    /sbin/runlevel        mrix,
    /usr/bin/xargs        mrix,
    /{,var/}run/utmp      rwk,
  }
}

More information about the AppArmor mailing list