On 03/13/2018 04:48 PM, Christian Boltz wrote: > Hello, > > Am Freitag, 9. März 2018, 17:26:24 CET schrieb Goldwyn Rodrigues: >> From: Goldwyn Rodrigues <[email protected]> >> >> From: Sven Uebelacker <[email protected]> >> >> Signed-off-by: Goldwyn Rodrigues <[email protected]> >> --- >> profiles/apparmor.d/abstractions/ssl_certs | 7 +++++++ >> profiles/apparmor.d/abstractions/ssl_keys | 7 +++++++ >> 2 files changed, 14 insertions(+) >> >> diff --git a/profiles/apparmor.d/abstractions/ssl_certs >> b/profiles/apparmor.d/abstractions/ssl_certs index 0234fd4b..4a6c17b4 >> 100644 >> --- a/profiles/apparmor.d/abstractions/ssl_certs >> +++ b/profiles/apparmor.d/abstractions/ssl_certs >> @@ -27,3 +27,10 @@ >> # acmetool >> /var/lib/acme/certs/*/chain r, >> /var/lib/acme/certs/*/cert r, >> + >> + # certbot >> + /etc/certbot/live/** r, >> + /etc/certbot/archive/** r, >> + >> + # dehydrated >> + /etc/dehydrated/certs/** r, >> diff --git a/profiles/apparmor.d/abstractions/ssl_keys >> b/profiles/apparmor.d/abstractions/ssl_keys index c6f29ad2..e805bff1 >> 100644 >> --- a/profiles/apparmor.d/abstractions/ssl_keys >> +++ b/profiles/apparmor.d/abstractions/ssl_keys >> @@ -20,3 +20,10 @@ >> /var/lib/acme/live/* r, >> /var/lib/acme/certs/** r, >> /var/lib/acme/keys/** r, >> + >> + # certbot >> + /etc/certbot/live/** r, >> + /etc/certbot/archive/** r, >> + >> + # dehydrated >> + /etc/dehydrated/certs/** r, > > This looks like the patch from > https://build.opensuse.org/request/show/533380 > and I still think that granting access to the private keys in the > ssl_certs abstraction isn't a good idea, so we'll need more restrictive > rules.
Yes, it is. > > I'm guilty of not answering Sven's questions in the SR for months, but > just added a comment and hope for some feedback. As an alternative, do > you know the directory layout used by certbot and dehydrated so that I > can come up with some more restrictive rules myself? Both dehydrated and certbot are available in opensuse 15/tumbleweed. rpm -ql certbot /etc/certbot /etc/certbot/archive /etc/certbot/cli.ini /etc/certbot/dev-cli.ini /etc/certbot/keys /etc/certbot/live /etc/cron.d/certbot /usr/bin/certbot /usr/share/doc/packages/certbot /usr/share/doc/packages/certbot/CHANGES.rst /usr/share/doc/packages/certbot/LICENSE.txt /usr/share/doc/packages/certbot/README.SUSE /usr/share/doc/packages/certbot/README.rst /usr/share/man/man1/certbot.1.gz /usr/share/man/man7/certbot.7.gz /var/log/certbot rpm -ql dehydrated /etc/dehydrated /etc/dehydrated/accounts /etc/dehydrated/certs /etc/dehydrated/chains /etc/dehydrated/config /etc/dehydrated/config.d /etc/dehydrated/domains.txt /etc/dehydrated/hook.sh /etc/dehydrated/postrun-hooks.d /etc/dehydrated/postrun-hooks.d/README.hooks /run/dehydrated /usr/bin/dehydrated /usr/lib/systemd/system/dehydrated.service /usr/lib/systemd/system/dehydrated.timer /usr/lib/tmpfiles.d/dehydrated.conf /usr/sbin/rcdehydrated /usr/share/doc/packages/dehydrated /usr/share/doc/packages/dehydrated/LICENSE /usr/share/doc/packages/dehydrated/README.SUSE /usr/share/doc/packages/dehydrated/README.md /usr/share/doc/packages/dehydrated/dns-verification.md /usr/share/doc/packages/dehydrated/domains_txt.md /usr/share/doc/packages/dehydrated/ecc.md /usr/share/doc/packages/dehydrated/hook_chain.md /usr/share/doc/packages/dehydrated/import-from-official-client.md /usr/share/doc/packages/dehydrated/logo.jpg /usr/share/doc/packages/dehydrated/per-certificate-config.md /usr/share/doc/packages/dehydrated/staging.md /usr/share/doc/packages/dehydrated/troubleshooting.md /usr/share/doc/packages/dehydrated/wellknown.md /usr/share/man/man1/dehydrated.1.gz /var/lib/acme-challenge -- Goldwyn -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
