[Bug 731572] /etc/apparmor.d/usr.sbin.named name="/var/lib/named/lib/engines/libgost.so" pid=1327 comm="named" requested_mask="m" denied_mask="m"

https://bugzilla.novell.com/show_bug.cgi?id=731572 https://bugzilla.novell.com/show_bug.cgi?id=731572#c3 --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> 2011-12-06 19:32:36 CET --- (In reply to comment #2)

I just provided the rule I added to make bind work again. (the default was so secure that bind wouldn't start...)  ;-)

IMHO /var/lib/named belongs to named so I don't see a problem with letting named access that directory. I'm not storing anything else there...

Well, bind will "only" be able to overwrite its own data - but even that is not what you want (for example, bind will also able to overwrite library files like /var/lib/named/lib/engines/libgost.so which should really be read-only and later load that "new" libraries - in other words: if an attacker can upload a library, he'll also be to load it). Write permissions should only be be allowed when really needed, for example for zone updates. (I'm not a nameserver expert, therefore I don't know where exactly bind needs write access.)

If there's a better way then I'm all for it. I hope for it to be added in the default profile in a secure way that I, as an end user, don't have to edit just to get bind to start.

Yes, of course - the apparmor profile should be working by default. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.