[apparmor] unbound profile / chown

Simon Deziel simon.deziel at gmail.com
Sun May 29 19:21:54 UTC 2016


Hi Christian,

On 2016-05-29 11:34 AM, Christian Boltz wrote:
> I just updated my system to the latest unbound profile from 
> lp:apparmor-profiles/ubuntu/16.10.
> 
> unbound works without problems, but I get chown denials logged.
> 
> I'm using unbound 1.5.8, which already includes the patches from
> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
> (at least the changelog says so ;-)

The behavior with 1.5.8 is to attempt chown'ing only if the PID is in
the chroot or if no chroot is used. I must have _wrongly_ assumed that
chroot was the default in Debian/Ubuntu so I removed the deny rule.

> Do we need to explicitely "deny capability chown," in the profile?

Since the original issue remains, I think it should be re-added [1].

In the meantime, you might want to try to the chroot feature :)

  chroot: "/var/lib/unbound"


Thank you,
Simon

1:
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-chown/+merge/296005

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160529/4f19127d/attachment.pgp>


More information about the AppArmor mailing list