On Sun, Jan 31, 2016 at 05:56:54PM +0100, Christian Boltz wrote: > Hello, > > I just replaced my self-made unbound profile with the latest Ubuntu > profile. > > It needs exactly one change [1] to work on openSUSE, and that's the pid > file location. Additionally, I prefer to use abstractions/openssl instead > of /etc/ssl/openssl.cnf. > > As a sidenote - the capabilities fowner, fsetid and sys_chroot are not > needed on openSUSE. sys_chroot obviously depends on the confi. I wonder > about the difference for fowner and fsetid (they were added by Simon's > patch, so I assume they are needed on Ubuntu ;-) - are those also > depending on the config, or is there some other difference?
Acked-by: Seth Arnold <[email protected]> When newer versions of unbound are synced through Debian and Ubuntu we'll be able to update the profile again; the full details of the iteration are at: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230 Thanks > > === modified file 'ubuntu/16.04/usr.sbin.unbound' > --- ubuntu/16.04/usr.sbin.unbound 2016-01-12 21:30:36 +0000 > +++ ubuntu/16.04/usr.sbin.unbound 2016-01-31 16:45:45 +0000 > @@ -5,6 +5,7 @@ > /usr/sbin/unbound { > #include <abstractions/base> > #include <abstractions/nameservice> > + #include <abstractions/openssl> > > # needlessly chown'ing the PID, for details see: > # https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734 > @@ -37,11 +39,9 @@ > audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw, > audit deny /var/lib/unbound/**/unbound_server.key w, > > - /etc/ssl/openssl.cnf r, > - > /usr/sbin/unbound mr, > > - /{,var/}run/unbound.pid rw, > + /{,var/}run/{unbound/,}unbound.pid rw, > > # Unix control socket > /{,var/}run/unbound.ctl rw, > > > Regards, > > Christian Boltz > > [1] well, the two "deny capability" rules also cause failures, but > that's a known issue and will fix itsself when openSUSE gets the next > unbound release
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
