Package: fwknop-apparmor-profile
Version: 2.6.11-2
Severity: normal
Tags: patch
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I tried to add the following to my `/etc/fwknop/access.conf` file:
```
%include_folder /etc/fwknop/access.conf.d
```
The custom directory is blocked by AppArmor.
I tried adding the following to `/etc/apparmor.d/local/usr.sbin.fwknopd`:
```
/etc/fwknop/access.conf.d/ r,
/etc/fwknop/access.conf.d/*.conf r,
```
Unfortunately, that did not work because `/etc/apparmor.d/usr.sbin.fwknopd`
does not include this local file.
Adding the following to `/etc/apparmor.d/usr.sbin.fwknopd` (as seems to be the
norm now in other rules files), solved the problem:
```
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.fwknopd>
```
Or as a patch:
```
--- a/apparmor/usr.sbin.fwknopd
+++ b/apparmor/usr.sbin.fwknopd
@@ -46,4 +46,6 @@
/var/cache/nscd/passwd r,
@{PROC}/@{pid}/net/ip_tables_names r,
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.fwknopd>
}
```
The comment seems to be the norm in all other files, so that's why I added it.
Thank you for your time and consideration.
Tom Dworzanski
-- System Information:
Debian Release: 13.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Kernel: Linux 6.12.48+deb13-arm64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fwknop-apparmor-profile depends on:
ii apparmor-profiles-extra 1.35
ii fwknop-server 2.6.11-2+b1
fwknop-apparmor-profile recommends no packages.
fwknop-apparmor-profile suggests no packages.
-- Configuration Files:
/etc/apparmor.d/usr.sbin.fwknopd changed:
include <tunables/global>
/usr/sbin/fwknopd {
include <abstractions/base>
include <abstractions/gstreamer>
include <local/usr.sbin.fwknopd>
capability ipc_lock,
capability net_admin,
capability net_raw,
network inet dgram,
network inet raw,
network inet6 dgram,
network packet dgram,
network packet raw,
/bin/bash rix,
/bin/dash rix,
/etc/fwknop/access.conf r,
/etc/fwknop/fwknopd.conf r,
/etc/gai.conf r,
/etc/host.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/protocols r,
/etc/resolv.conf r,
/etc/services r,
/root/.gnupg/* rwlk,
/run/fwknop/ rw,
/run/fwknop/* rwk,
/run/resolvconf/resolv.conf r,
/run/xtables.lock rwk,
/sbin/ipset rix,
/sbin/xtables-legacy-multi rix,
/sbin/xtables-multi rix,
/usr/bin/gpg rix,
/usr/sbin/fwknopd mr,
/usr/sbin/ipset rix,
/usr/sbin/xtables-legacy-multi rix,
/usr/sbin/xtables-nft-multi rix,
/var/cache/nscd/passwd r,
@{PROC}/@{pid}/net/ip_tables_names r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.fwknopd>
}
-- no debconf information
