[apparmor] unbound profile / chown
Christian Boltz
apparmor at cboltz.de
Sun May 29 19:52:48 UTC 2016
Hello,
Am Sonntag, 29. Mai 2016, 15:21:54 CEST schrieb Simon Deziel:
> On 2016-05-29 11:34 AM, Christian Boltz wrote:
> > I just updated my system to the latest unbound profile from
> > lp:apparmor-profiles/ubuntu/16.10.
> >
> > unbound works without problems, but I get chown denials logged.
> >
> > I'm using unbound 1.5.8, which already includes the patches from
> > https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
> > (at least the changelog says so ;-)
>
> The behavior with 1.5.8 is to attempt chown'ing only if the PID is in
> the chroot or if no chroot is used. I must have _wrongly_ assumed that
> chroot was the default in Debian/Ubuntu so I removed the deny rule.
No problem ;-)
> > Do we need to explicitely "deny capability chown," in the profile?
>
> Since the original issue remains, I think it should be re-added [1].
Thanks, merged.
> In the meantime, you might want to try to the chroot feature :)
>
> chroot: "/var/lib/unbound"
You probably know what happens if someone tells me "you might want to
try ...". If not, have a look at
https://bugzilla.opensuse.org/show_bug.cgi?id=982145
On the positive side - with the AppArmor profile, chroot wouldn't add
additional security anyway ;-)
Regards,
Christian Boltz
--
I am the "ILOVEGNU" signature virus. Just copy me to your signature.
This message was infected under the terms of the GNU General Public
License.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160529/b59a05a6/attachment.pgp>
More information about the AppArmor
mailing list