[apparmor] unbound profile / chown

Christian Boltz apparmor at cboltz.de
Sun May 29 19:52:48 UTC 2016


Am Sonntag, 29. Mai 2016, 15:21:54 CEST schrieb Simon Deziel:
> On 2016-05-29 11:34 AM, Christian Boltz wrote:
> > I just updated my system to the latest unbound profile from
> > lp:apparmor-profiles/ubuntu/16.10.
> > 
> > unbound works without problems, but I get chown denials logged.
> > 
> > I'm using unbound 1.5.8, which already includes the patches from
> > https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
> > (at least the changelog says so ;-)
> The behavior with 1.5.8 is to attempt chown'ing only if the PID is in
> the chroot or if no chroot is used. I must have _wrongly_ assumed that
> chroot was the default in Debian/Ubuntu so I removed the deny rule.

No problem ;-)

> > Do we need to explicitely "deny capability chown," in the profile?
> Since the original issue remains, I think it should be re-added [1].

Thanks, merged.

> In the meantime, you might want to try to the chroot feature :)
>   chroot: "/var/lib/unbound"

You probably know what happens if someone tells me "you might want to 
try ...". If not, have a look at 

On the positive side - with the AppArmor profile, chroot wouldn't add 
additional security anyway ;-)


Christian Boltz
I am the "ILOVEGNU" signature virus. Just copy me to your signature.
This message was infected under the terms of the GNU General Public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160529/b59a05a6/attachment.pgp>

More information about the AppArmor mailing list