On Fri, Mar 22, 2019 at 10:07:49AM -0400, Espresso Beanies wrote: > I'm trying to develop an Apparmor profile for PostgreSQL 10 based on the > existing profile here ( > https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.lib.postgresql.bin.postgres) > however when I go to generate the profile based on the postgres executable > location, I get the following results: > > > > > > # Last Modified: Fri Mar 22 09:59:25 2019 > > #include <tunables/global> > > /usr/lib/postgresql/10/bin/postgres { > > #include <abstractions/base> > > /lib/x86_64-linux-gnu/ld-*.so mr, > > /usr/lib/postgresql/10/bin/postgres mr, > > owner /etc/postgresql/10/main/postgresql.conf r, > > } > > > There seems to be a number of things absent from the profile itself and > since PostgreSQL 10, there also appear to be a number of new locations that > contains resources that the program uses. I find these fun and I'd like to > do more, but I want to make sure they're created properly.
Hello,
Yes, this new profile is missing quite a lot from the previous profile
that looks very important. However, I'm surprised it's even needed. The
version I retrieved from the URL you gave looks like it has an attachment
specification that should also match the filename you gave:
#include <tunables/global>
/usr/lib/postgresql/[0-9.]*/bin/postgres {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/ssl_keys>
/etc/postgresql/** r,
/usr/share/postgresql/** r,
/var/lib/postgresql/** rwl,
/{,var/}run/postgresql/** rw,
owner @{PROC}/[0-9]*/oom_adj rw,
}
/usr/lib/postgresql/10/bin/postgres should match this, unless I'm missing
something too subtle for a Friday.
Did you have problems using the profile from the repository?
Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
