Hello, Am Freitag, 9. März 2018, 17:26:24 CET schrieb Goldwyn Rodrigues: > From: Goldwyn Rodrigues <[email protected]> > > From: Sven Uebelacker <[email protected]> > > Signed-off-by: Goldwyn Rodrigues <[email protected]> > --- > profiles/apparmor.d/abstractions/ssl_certs | 7 +++++++ > profiles/apparmor.d/abstractions/ssl_keys | 7 +++++++ > 2 files changed, 14 insertions(+) > > diff --git a/profiles/apparmor.d/abstractions/ssl_certs > b/profiles/apparmor.d/abstractions/ssl_certs index 0234fd4b..4a6c17b4 > 100644 > --- a/profiles/apparmor.d/abstractions/ssl_certs > +++ b/profiles/apparmor.d/abstractions/ssl_certs > @@ -27,3 +27,10 @@ > # acmetool > /var/lib/acme/certs/*/chain r, > /var/lib/acme/certs/*/cert r, > + > + # certbot > + /etc/certbot/live/** r, > + /etc/certbot/archive/** r, > + > + # dehydrated > + /etc/dehydrated/certs/** r, > diff --git a/profiles/apparmor.d/abstractions/ssl_keys > b/profiles/apparmor.d/abstractions/ssl_keys index c6f29ad2..e805bff1 > 100644 > --- a/profiles/apparmor.d/abstractions/ssl_keys > +++ b/profiles/apparmor.d/abstractions/ssl_keys > @@ -20,3 +20,10 @@ > /var/lib/acme/live/* r, > /var/lib/acme/certs/** r, > /var/lib/acme/keys/** r, > + > + # certbot > + /etc/certbot/live/** r, > + /etc/certbot/archive/** r, > + > + # dehydrated > + /etc/dehydrated/certs/** r,
This looks like the patch from https://build.opensuse.org/request/show/533380 and I still think that granting access to the private keys in the ssl_certs abstraction isn't a good idea, so we'll need more restrictive rules. I'm guilty of not answering Sven's questions in the SR for months, but just added a comment and hope for some feedback. As an alternative, do you know the directory layout used by certbot and dehydrated so that I can come up with some more restrictive rules myself? Regards, Christian Boltz PS: Random signature as usual, but it matches perfectly ;-) -- <sarnold> it's been on my todo list for eight or nine years, I'm sure I'll get around to it right quick :) [from #apparmor]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
