https://bugzilla.novell.com/show_bug.cgi?id=731572 https://bugzilla.novell.com/show_bug.cgi?id=731572#c2 Charles Wright <wrighrc@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wrighrc@gmail.com --- Comment #2 from Charles Wright <wrighrc@gmail.com> 2011-12-06 17:24:04 UTC --- Ok Thanks. I just provided the rule I added to make bind work again. (the default was so secure that bind wouldn't start...) IMHO /var/lib/named belongs to named so I don't see a problem with letting named access that directory. I'm not storing anything else there... If there's a better way then I'm all for it. I hope for it to be added in the default profile in a secure way that I, as an end user, don't have to edit just to get bind to start. (In reply to comment #1)
This rule will work for sure, but it's very broad and makes your profile insecure IMHO.
That said: the named profile is part of the "bind" package, therefore I'll assign this bug to Uwe (the bind maintainer) for now.
Some comments on the profile:
#include <tunables/global>
/usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/xad>
capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource,
/** r, # leftover from the times when AppArmor paths were relative to the chroot? I doubt it's needed nowadays. /var/lib/named/** should be enough. /dyn/** rwl, # see above - should probably be /var/lib/named/dyn/** /usr/bin/dnskeygen mix, /usr/bin/dnsquery mix, /usr/sbin/named rmix, /usr/sbin/named-xfer mix, /var/lib/named/** rwl, # (or mrwl after this bugreport) - this rule is very broad and makes the profile insecure. Does bind really need write permissions for all those files? /var/named/** rwl, # does this directory exist? (I don't have a nameserver on 12.1, so I can't check it.) /var/run/named.pid wl, /var/run/named/named.pid wl, /var/run/ndc wl, /slave/* rw, # should probably be /var/lib/named/slave/*
/var/opt/novell/xad/ds/krb5kdc/krb5.keytab r, /var/tmp/DNS_* rw, # add "owner" keyword? /tmp/DNS_* rw, # add "owner" keyword? }
Uwe, if you need help, feel free to ask. If you want, I can try to push the profile upstream (which would also mean to move it to the apparmor-profiles package) - however I'm quite sure the "/var/lib/named/** mrwl" rule will be rejected upstream.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.