Hello, Here is a patch for apparmor-profiles (sorry, that's git, I don't speak bzr) that fixes the profile for unbound. I'm currently running it without issue on Ubuntu 15.04, and will test on Debian Wheezy and Jessie soon.
Best regards, Nicolas
From 265d580a5d6b5df1e8807b310ad29c9739ff1f67 Mon Sep 17 00:00:00 2001 From: Nicolas Braud-Santoni <[email protected]> Date: Sat, 22 Aug 2015 15:09:40 +0200 Subject: [PATCH] Fixes against usr.sbin.unbound - Use @{pid} - Allow unbound to create temporary key files This is required to handle the DNSSEC root KSK and ZSK keys rollover --- ubuntu/15.04/usr.sbin.unbound | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ubuntu/15.04/usr.sbin.unbound b/ubuntu/15.04/usr.sbin.unbound index 97b1d83..c76b142 100644 --- a/ubuntu/15.04/usr.sbin.unbound +++ b/ubuntu/15.04/usr.sbin.unbound @@ -15,18 +15,20 @@ capability dac_override, # for networking - owner @{PROC}/[0-9]*/net/if_inet6 r, - owner @{PROC}/[0-9]*/net/ipv6_route r, + owner @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/net/ipv6_route r, # non-chrooted paths /etc/unbound/** r, owner /etc/unbound/*.key rw, owner /var/lib/unbound/root.key rw, + owner /var/lib/unbound/root.key.* rw, audit deny /etc/unbound/unbound_{control,server}.key w, # chrooted paths /var/lib/unbound/** r, owner /var/lib/unbound/**/*.key rw, + owner /var/lib/unbound/**/root.key.* rw, audit deny /var/lib/unbound/unbound_{control,server}.key w, /etc/ssl/openssl.cnf r, -- 2.1.4
pgp9aGSfS_2fb.pgp
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
