Hi Robert, As Seth mentioned, you could setup a global or child profile instead of allowing unfiltered access. I am surprised that your system needs bash though.
On 2016-11-02 05:18 PM, Seth Arnold wrote: > These profiles are also at: > http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/files/head:/profiles/apparmor/profiles/extras/ > > - There's a usr.sbin.sendmail that is prepared to handle both postfix > _and_ sendmail > - There's a usr.sbin.sendmail.sendmail that works with sendmail > - There's a usr.sbin.sendmail.postfix that works with postfix > - There's also profiles for postalias, postdrop, postmap, postqueue, and a > dozen other postfix binaries. > > Unless someone speaks up to say they've kept the 'extras' profile updated > for their MTA of choice, they are probably old enough at this point that > they can be ignored. I'm using sSMTP everywhere and this profile works well: https://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/16.04/usr.sbin.ssmtp On occasions, I drop a local/ definition on a given machine to make dead.letter work for system users: simon@bck:~$ cat /etc/apparmor.d/local/usr.sbin.ssmtp # Site-specific additions and overrides for usr.sbin.ssmtp. # For more details, please see /etc/apparmor.d/local/README. # backuppc owner /var/lib/backuppc/dead.letter rw, # logcheck owner /var/lib/logcheck/dead.letter rw, # nagios owner /var/lib/nagios/dead.letter rw, Otherwise, the base profile just works. Regards, Simon
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
