Review: Approve I have approved this and then made the following change: revno: 80 committer: Jamie Strandboge <[email protected]> branch nick: apparmor-profiles timestamp: Wed 2011-11-30 06:57:44 -0600 message: ubuntu/12.04/usr.sbin.unbound: - add authorship - break out non-chroot and chroot parts, as this is easier to audit to my eyes anyway diff: === modified file 'ubuntu/12.04/usr.sbin.unbound' --- ubuntu/12.04/usr.sbin.unbound 2011-11-30 12:56:26 +0000 +++ ubuntu/12.04/usr.sbin.unbound 2011-11-30 12:57:44 +0000 @@ -1,4 +1,4 @@ -# TODO: comment on why we need 'capability dac_override' +# Author: Simon Deziel # vim:syntax=apparmor #include <tunables/global> @@ -16,10 +16,16 @@ owner @{PROC}/[0-9]*/net/if_inet6 r, owner @{PROC}/[0-9]*/net/ipv6_route r, - /{,var/lib/unbound/}etc/unbound/** r, - owner /{,var/lib/unbound/}etc/unbound/*.key rw, - audit deny /{,var/lib/unbound/}etc/unbound/unbound_server.key w, - audit deny /{,var/lib/unbound/}etc/unbound/unbound_control.key w, + # non-chrooted paths + /etc/unbound/** r, + owner /etc/unbound/*.key rw, + audit deny /etc/unbound/unbound_{control,server}.key w, + + # chrooted paths + /var/lib/unbound/** r, + owner /var/lib/unbound/**/*.key rw, + audit deny /var/lib/unbound/unbound_{control,server}.key w, + /etc/ssl/openssl.cnf r, /usr/sbin/unbound mr, -- https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83892 Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
