https://bugzilla.novell.com/show_bug.cgi?id=731572
https://bugzilla.novell.com/show_bug.cgi?id=731572#c1
Christian Boltz changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |suse-beta@cboltz.de
AssignedTo|suse-beta@cboltz.de |ug@suse.com
--- Comment #1 from Christian Boltz 2011-12-06 16:21:22 CET ---
This rule will work for sure, but it's very broad and makes your profile
insecure IMHO.
That said: the named profile is part of the "bind" package, therefore I'll
assign this bug to Uwe (the bind maintainer) for now.
Some comments on the profile:
#include
/usr/sbin/named {
#include
#include
#include
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
/** r, # leftover from the times when AppArmor paths were relative to the
chroot? I doubt it's needed nowadays. /var/lib/named/** should be enough.
/dyn/** rwl, # see above - should probably be /var/lib/named/dyn/**
/usr/bin/dnskeygen mix,
/usr/bin/dnsquery mix,
/usr/sbin/named rmix,
/usr/sbin/named-xfer mix,
/var/lib/named/** rwl, # (or mrwl after this bugreport) - this rule is very
broad and makes the profile insecure. Does bind really need write permissions
for all those files?
/var/named/** rwl, # does this directory exist? (I don't have a nameserver on
12.1, so I can't check it.)
/var/run/named.pid wl,
/var/run/named/named.pid wl,
/var/run/ndc wl,
/slave/* rw, # should probably be /var/lib/named/slave/*
/var/opt/novell/xad/ds/krb5kdc/krb5.keytab r,
/var/tmp/DNS_* rw, # add "owner" keyword?
/tmp/DNS_* rw, # add "owner" keyword?
}
Uwe, if you need help, feel free to ask.
If you want, I can try to push the profile upstream (which would also mean to
move it to the apparmor-profiles package) - however I'm quite sure the
"/var/lib/named/** mrwl" rule will be rejected upstream.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.