[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
Steve Beattie
steve at nxnw.org
Thu Jun 19 00:44:03 UTC 2014
Allow apache hats to receive signals from unconfined.
[I'm on the fence about this. On the one hand, unconfined should be able
to kill thing in hats. On the other, using apache2ctl/apachectl is
preferred to shutdown apache, and it uses the apache binary itself (and
the profile it runs under) to kill its children.]
---
profiles/apparmor.d/abstractions/apache2-common | 2 ++
1 file changed, 2 insertions(+)
Index: b/profiles/apparmor.d/abstractions/apache2-common
===================================================================
--- a/profiles/apparmor.d/abstractions/apache2-common
+++ b/profiles/apparmor.d/abstractions/apache2-common
@@ -4,6 +4,8 @@
#include <abstractions/nameservice>
+ # Allow unconfined processes to send us signals by default
+ signal (receive) peer=unconfined,
# Allow apache to send us signals by default
signal (receive) peer=/usr/sbin/apache2,
# Allow us to signal ourselves
More information about the AppArmor
mailing list