[apparmor] [patch] update paths in nscd profile to allow /run/nscd

Seth Arnold seth.arnold at canonical.com
Mon Nov 17 19:41:43 UTC 2014 

On Mon, Nov 17, 2014 at 08:36:33PM +0100, Christian Boltz wrote:
> Hello,
> 
> Am Montag, 17. November 2014 schrieb Seth Arnold:
> > On Sun, Nov 16, 2014 at 03:05:31PM +0100, Christian Boltz wrote:
> > > Notes and questions:
> > > There are some differences to abstractions/nameservice:
> > > - abstractions/nameservice allows "host" instead of "hosts". Is this
> > >   really correct/intentional or is it a bug in the abstraction?
> > 
> > Looks like a bug: http://codesearch.debian.net/search?q=nscd%2Fhost
> 
> I tracked this down to 
> 
> revno: 1293
> committer: Jamie Strandboge <jamie at canonical.com>
> branch nick: master
> timestamp: Wed 2009-11-04 14:25:42 -0600
> message:
>   pull in Ubuntu updates to profiles/apparmor.d
> 
> with quite some changes to abstractions/nameservice - one of them was
> -  /var/db/nscd/{passwd,group,services,hosts} r,
> +  /var/{db,cache,run}/nscd/{passwd,group,services,host}    r,
> 
> I'm slightly surprised that we managed to keep this bug for 3 years 
> without any complaints or bugreports ;-)  

nscd is not as popular as it once was; I'm not sure there'd be much point
in caching /etc/hosts anyhow.

> Nevertheless, I propose the following patch (for trunk and 2.8).
> Note that this will remove permissions for ..../nscd/host file, but it's 
> extremely unlikely that such a file exists.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

for both trunk and 2.8.

Thanks

> === modified file 'profiles/apparmor.d/abstractions/nameservice'
> --- profiles/apparmor.d/abstractions/nameservice        2014-09-03 19:21:31 +0000
> +++ profiles/apparmor.d/abstractions/nameservice        2014-11-17 19:28:15 +0000
> @@ -47,7 +47,7 @@
>    # to vast speed increases when working with network-based lookups.
>    /{,var/}run/.nscd_socket   rw,
>    /{,var/}run/nscd/socket    rw,
> -  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host}    r,
> +  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts}    r,
>    # nscd renames and unlinks files in it's operation that clients will
>    # have open
>    /{,var/}run/nscd/db*  rmix,
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> Also, ich hab mit win3.11 (damals war ich 2 jahre alt) angefangen und
> hab dann alle Win-versionen erlebt, bis xp. Das war entgültig zuviel.
> Danach war Schluss. Jetzt nur noch SuSE Linux.
> [Soeren Wengerowsky in suse-linux]
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141117/b06b1a7a/attachment.pgp>

More information about the AppArmor mailing list