Hello, this patch is based on a SLE12 patch to allow executing the --dhcp-script. We already have most parts of that patch since r2841, except: - the SLE bugreport indicates that /bin/sh is executed (which is usually a symlink to /bin/bash or /bin/dash), so we should also allow /bin/sh - /dev/tty rw - the SLE bug doesn't explain why it's needed, but from looking at (link taken from the bugreport) http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/lease.c;h=8adb60588671324d9ddf00d7dab40474d40d4393;hb=HEAD#l45 I'd guess that fscanf() (line 70) should explain it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public) I propose this patch for trunk and 2.9. [ dnsmasq-profile-boo940749.diff ] === modified file 'profiles/apparmor.d/usr.sbin.dnsmasq' --- profiles/apparmor.d/usr.sbin.dnsmasq 2015-07-24 18:56:27 +0000 +++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-16 12:03:40 +0000 @@ -29,6 +29,8 @@ signal (receive) peer=/usr/sbin/libvirtd, ptrace (readby) peer=/usr/sbin/libvirtd, + /dev/tty rw, + /etc/dnsmasq.conf r, /etc/dnsmasq.d/ r, /etc/dnsmasq.d/* r, @@ -45,7 +47,7 @@ /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage - /bin/{b,d}ash ix, # Required to execute --dhcp-script argument + /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument # access to iface mtu needed for Router Advertisement messages in IPv6 # Neighbor Discovery protocol (RFC 2461) Regards, Christian Boltz -- > Meine Fonts füllen die komplette Wand, also könnte ich auch kein > größeres Poster brauchen. :-) Ich verwende für die Wände immer Tapete ;-) [> Ratti und Christian Boltz] -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
