[apparmor] [patch] adjust unbound profile for openSUSE

Seth Arnold seth.arnold at canonical.com
Mon Feb 1 20:02:55 UTC 2016 

On Sun, Jan 31, 2016 at 05:56:54PM +0100, Christian Boltz wrote:
> Hello,
> 
> I just replaced my self-made unbound profile with the latest Ubuntu 
> profile.
> 
> It needs exactly one change [1] to work on openSUSE, and that's the pid 
> file location. Additionally, I prefer to use abstractions/openssl instead 
> of /etc/ssl/openssl.cnf.
> 
> As a sidenote - the capabilities fowner, fsetid and sys_chroot are not 
> needed on openSUSE.  sys_chroot obviously depends on the confi. I wonder 
> about the difference for fowner and fsetid (they were added by Simon's 
> patch, so I assume they are needed on Ubuntu ;-) - are those also 
> depending on the config, or is there some other difference?

Acked-by: Seth Arnold <seth.arnold at canonical.com>

When newer versions of unbound are synced through Debian and Ubuntu we'll
be able to update the profile again; the full details of the iteration are
at:
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230

Thanks

> 
> === modified file 'ubuntu/16.04/usr.sbin.unbound'
> --- ubuntu/16.04/usr.sbin.unbound       2016-01-12 21:30:36 +0000
> +++ ubuntu/16.04/usr.sbin.unbound       2016-01-31 16:45:45 +0000
> @@ -5,6 +5,7 @@
>  /usr/sbin/unbound {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> +  #include <abstractions/openssl>
>  
>    # needlessly chown'ing the PID, for details see:
>    # https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
> @@ -37,11 +39,9 @@
>    audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
>    audit deny /var/lib/unbound/**/unbound_server.key w,
>  
> -  /etc/ssl/openssl.cnf r,
> -
>    /usr/sbin/unbound mr,
>  
> -  /{,var/}run/unbound.pid rw,
> +  /{,var/}run/{unbound/,}unbound.pid rw,
>  
>    # Unix control socket
>    /{,var/}run/unbound.ctl rw,
> 
> 
> Regards,
> 
> Christian Boltz
> 
> [1] well, the two "deny capability" rules also cause failures, but 
>     that's a known issue and will fix itsself when openSUSE gets the next 
>     unbound release
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160201/f690316f/attachment.pgp>

More information about the AppArmor mailing list