[apparmor] unbound profile / chown
apparmor at cboltz.de
Sun May 29 19:52:48 UTC 2016
Am Sonntag, 29. Mai 2016, 15:21:54 CEST schrieb Simon Deziel:
> On 2016-05-29 11:34 AM, Christian Boltz wrote:
> > I just updated my system to the latest unbound profile from
> > lp:apparmor-profiles/ubuntu/16.10.
> > unbound works without problems, but I get chown denials logged.
> > I'm using unbound 1.5.8, which already includes the patches from
> > https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
> > (at least the changelog says so ;-)
> The behavior with 1.5.8 is to attempt chown'ing only if the PID is in
> the chroot or if no chroot is used. I must have _wrongly_ assumed that
> chroot was the default in Debian/Ubuntu so I removed the deny rule.
No problem ;-)
> > Do we need to explicitely "deny capability chown," in the profile?
> Since the original issue remains, I think it should be re-added .
> In the meantime, you might want to try to the chroot feature :)
> chroot: "/var/lib/unbound"
You probably know what happens if someone tells me "you might want to
try ...". If not, have a look at
On the positive side - with the AppArmor profile, chroot wouldn't add
additional security anyway ;-)
I am the "ILOVEGNU" signature virus. Just copy me to your signature.
This message was infected under the terms of the GNU General Public
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the AppArmor