[apparmor] [patch] Update the /sbin/dhclient profile

Steve Beattie steve at nxnw.org
Tue Sep 8 20:56:59 UTC 2015 

On Sun, Sep 06, 2015 at 01:32:06PM +0200, Christian Boltz wrote:
> Hello,
> 
> Am Samstag, 15. August 2015 schrieb Christian Boltz:
> > this patch adds some permissions that I need on my system:
> > - execute nm-dhcp-helper
> > - read and write /var/lib/dhcp6/dhclient.leases
> > - read /var/lib/NetworkManager/dhclient-*.conf
> > - read and write /var/lib/NetworkManager/dhclient-*.conf
> > 
> > I propose this patch for trunk and 2.9.
> > 
> > According to the apparmor-profiles repo, Ubuntu ships a (different?)
> > profile for dhclient and Debian thinks about including it:
> >     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795467
> > so we should merge it and move it from extras to the default profiles
> > (but that's something for another patch ;-)
> 
> Any comments or reviews?
> 
> If nobody objects, I'll commit to trunk and 2.9 as Acked-by <timeout> on 
> tuesday.

Looking at what we have in the Ubuntu profile, these
changes are all fine, though the profile Ubuntu ships has
/usr/lib/NetworkManager/nm-dhcp-helper broken out into a separate
profile (Px transition rather than ix).

> > [ update-dhclient-profile.diff ]
> > 
> > === modified file 'profiles/apparmor/profiles/extras/sbin.dhclient'
> > --- profiles/apparmor/profiles/extras/sbin.dhclient     2013-01-02
> > 23:34:38 +0000 
> > +++ profiles/apparmor/profiles/extras/sbin.dhclient     2015-08-15 
> > 11:36:26 +0000 
> >  @@ -1,6 +1,7 @@
> >  # ------------------------------------------------------------------
> >  #
> >  #    Copyright (C) 2002-2005 Novell/SUSE
> > +#    Copyright (C) 2015 Christian Boltz
> >  #
> >  #    This program is free software; you can redistribute it and/or
> >  #    modify it under the terms of version 2 of the GNU General Public
> > @@ -25,6 +26,8 @@
> >    #include <abstractions/bash>
> >    #include <abstractions/nameservice>
> > 
> > +  capability net_raw,
> > +
> >    network packet packet,
> >    network packet raw,
> > 
> > @@ -47,13 +50,17 @@
> >    /usr/bin/uptime             mrix,
> >    /usr/bin/vmstat             mrix,
> >    /usr/bin/w                  mrix,
> > +  /usr/lib/nm-dhcp-helper     rix,
> >    /var/lib/dhcp/dhclient.leases     rw,
> >    /var/lib/dhcp/dhclient-*.leases   rw,
> > +  /var/lib/dhcp6/dhclient.leases    rw,
> > +  /var/lib/NetworkManager/dhclient-*.conf  r,
> > +  /var/lib/NetworkManager/dhclient-*.lease rw,
> >    /var/log/lastlog            r,
> >    /var/log/messages           r,
> >    /var/log/wtmp               r,
> > -  /{,var/}run/dhclient.pid       rw,
> > -  /{,var/}run/dhclient-*.pid     rw,
> > +  /{,var/}run/dhclient.pid    rw,
> > +  /{,var/}run/dhclient-*.pid  rw,
> >    /var/spool                  r,
> >    /var/spool/mail             r,
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> Immerwieder der gleiche Anfaengerfehler:
> /dev/null ist fuer Backup,
> /dev/zero ist fuer Restore.
> [J. P. Meier]
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150908/3259d880/attachment.pgp>

More information about the AppArmor mailing list