Simon, that's great. Nice job :) Since the error message is essentially 
harmless, and granting the permissions wouldn't actually allow the unlink 
anyway (since we're doing the chroot too), I think we can also ignore giving 
these permissions to unbound. We could add "deny" lines to silence the AppArmor 
denials but that might mask actual problems if unbound is modified in the 
future to require these privileges.

So, I propose we skip the new capabilities if we can; the new file rules look 
sane, adding those sounds like a good idea.

Does that sound fair?

Thanks
-- 
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~sdeziel/apparmor-profiles/unbound-refresh into lp:apparmor-profiles.

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to