[Bug 740327] New: usr.sbin.named profile too permissive
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c0
Summary: usr.sbin.named profile too permissive
Classification: openSUSE
Product: openSUSE 12.2
Version: Factory
Platform: Other
OS/Version: All
Status: NEW
Severity: Normal
Priority: P5 - None
Component: AppArmor
AssignedTo: ug@suse.com
ReportedBy: suse-beta@cboltz.de
QAContact: qa@suse.de
Found By: Beta-Customer
Blocker: ---
(bugreport based on bug 731572 comment 1 and the latest bind package from the
network repo)
The usr.sbin.named profile is too permissive.
Several rules seem to have their history in the times when AppArmor handled the
paths relative to the chroot. Since some years, the paths in the profiles are
handled relative to the "real" root directory (for named, this means / in the
chroot is /var/lib/named/ in the profile).
There are also some other details, please see the inline comments below.
/usr/sbin/named {
#include
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c1
Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c2
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c3
--- Comment #3 from Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c4
--- Comment #4 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c5
Paul M
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c6
Christian Boltz
/var/lib/named/lib/engines/libgost.so rwml,
which is what apparmor reported when in complain mode, but it didn't work!
I am puzzled why named even wants to modify ligost!
Indeed, that looks very strange. Can you please attach your named profile (without the line for libgost.so) and /var/log/audit/audit.log? It would be even better if you could test the (stricter) profile from comment #2. Switch it to complain mode, use named for some time and then attach your audit.log. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c7
Uwe Gansert
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c8
Christian Boltz
Christion, I don't think Paul will react. If the apparmor profile works for you, can you do a submit request
Not really. I'm just the cleaner^W AppArmor maintainer ;-) but I don't use named myself. This means I can't really test the named profile (and Paul's change looks very strange, so I don't want to blindly include it). If someone tests the profile from comment #2 and provides me with the audit.log, I can help to update the profile. (Uwe, you as the named maintainer would be a good "someone" ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c10
--- Comment #10 from Reinhard Max
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c11
--- Comment #11 from Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c12
Reinhard Max
https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c13
--- Comment #13 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com