[apparmor] [patch] update paths in nscd profile to allow /run/nscd

Christian Boltz apparmor at cboltz.de
Mon Nov 17 19:36:33 UTC 2014 

Hello,

Am Montag, 17. November 2014 schrieb Seth Arnold:
> On Sun, Nov 16, 2014 at 03:05:31PM +0100, Christian Boltz wrote:
> > Notes and questions:
> > There are some differences to abstractions/nameservice:
> > - abstractions/nameservice allows "host" instead of "hosts". Is this
> >   really correct/intentional or is it a bug in the abstraction?
> 
> Looks like a bug: http://codesearch.debian.net/search?q=nscd%2Fhost

I tracked this down to 

revno: 1293
committer: Jamie Strandboge <jamie at canonical.com>
branch nick: master
timestamp: Wed 2009-11-04 14:25:42 -0600
message:
  pull in Ubuntu updates to profiles/apparmor.d

with quite some changes to abstractions/nameservice - one of them was
-  /var/db/nscd/{passwd,group,services,hosts} r,
+  /var/{db,cache,run}/nscd/{passwd,group,services,host}    r,

I'm slightly surprised that we managed to keep this bug for 3 years 
without any complaints or bugreports ;-)  

Nevertheless, I propose the following patch (for trunk and 2.8).
Note that this will remove permissions for ..../nscd/host file, but it's 
extremely unlikely that such a file exists.

=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice        2014-09-03 19:21:31 +0000
+++ profiles/apparmor.d/abstractions/nameservice        2014-11-17 19:28:15 +0000
@@ -47,7 +47,7 @@
   # to vast speed increases when working with network-based lookups.
   /{,var/}run/.nscd_socket   rw,
   /{,var/}run/nscd/socket    rw,
-  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host}    r,
+  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
   /{,var/}run/nscd/db*  rmix,


Regards,

Christian Boltz
-- 
Also, ich hab mit win3.11 (damals war ich 2 jahre alt) angefangen und
hab dann alle Win-versionen erlebt, bis xp. Das war entgültig zuviel.
Danach war Schluss. Jetzt nur noch SuSE Linux.
[Soeren Wengerowsky in suse-linux]

More information about the AppArmor mailing list