[apparmor] [patch] adjust unbound profile for openSUSE

Christian Boltz apparmor at cboltz.de
Sun Jan 31 16:56:54 UTC 2016 

Hello,

I just replaced my self-made unbound profile with the latest Ubuntu 
profile.

It needs exactly one change [1] to work on openSUSE, and that's the pid 
file location. Additionally, I prefer to use abstractions/openssl instead 
of /etc/ssl/openssl.cnf.

As a sidenote - the capabilities fowner, fsetid and sys_chroot are not 
needed on openSUSE.  sys_chroot obviously depends on the confi. I wonder 
about the difference for fowner and fsetid (they were added by Simon's 
patch, so I assume they are needed on Ubuntu ;-) - are those also 
depending on the config, or is there some other difference?


=== modified file 'ubuntu/16.04/usr.sbin.unbound'
--- ubuntu/16.04/usr.sbin.unbound       2016-01-12 21:30:36 +0000
+++ ubuntu/16.04/usr.sbin.unbound       2016-01-31 16:45:45 +0000
@@ -5,6 +5,7 @@
 /usr/sbin/unbound {
   #include <abstractions/base>
   #include <abstractions/nameservice>
+  #include <abstractions/openssl>
 
   # needlessly chown'ing the PID, for details see:
   # https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
@@ -37,11 +39,9 @@
   audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
   audit deny /var/lib/unbound/**/unbound_server.key w,
 
-  /etc/ssl/openssl.cnf r,
-
   /usr/sbin/unbound mr,
 
-  /{,var/}run/unbound.pid rw,
+  /{,var/}run/{unbound/,}unbound.pid rw,
 
   # Unix control socket
   /{,var/}run/unbound.ctl rw,


Regards,

Christian Boltz

[1] well, the two "deny capability" rules also cause failures, but 
    that's a known issue and will fix itsself when openSUSE gets the next 
    unbound release
-- 
Inactive upstream is often just a sign of well engineered software,
which works for many years without continuous bugfixing and which is
feature complete. Something the CADT crowd of today probably just
cannot imagine anymore. [Stefan Seyfried in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160131/7cc432ce/attachment.pgp>

More information about the AppArmor mailing list