My change was already applied in
bind9 (1:9.10.3.dfsg.P2-4) experimental; urgency=medium

I don't know if it could be shipped by sssd package as the policy is for
usr.bin.named binary.

On 2016/02/22 07:11, Timo Aaltonen wrote:
> 14.02.2016, 09:14, Filip Pytloun kirjoitti:
> > Hello,
> > 
> > we are using Ubuntu 14.04 on FreeIPA clients and Ubuntu 16.04 on FreeIPA
> > server for 2 months with no critical issues.
> > 
> > Using newer freeipa-client was not needed, only sssd update from here,
> > because trusty version is buggy:
> > https://launchpad.net/~sssd/+archive/ubuntu/updates?field.series_filter=trusty
> > 
> > On server side, it was only needed to fix apparmor policy for bind to
> > fix FreeIPA DNS zones:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314
> 
> /var/lib/sss* bits belong to the apparmor profile shipped by sssd..
> mind removing them from the bind profile and testing this to
> /etc/apparmor.d/usr.sbin.sssd instead?
> 
> @@ -33,6 +33,7 @@
> 
>    /var/lib/sss/* rw,
>    /var/lib/sss/db/* rwk,
> +  /var/lib/sss/mc/initgroups r,
>    /var/lib/sss/pipes/* rw,
>    /var/lib/sss/pipes/private/* rw,
>    /var/lib/sss/pubconf/* rw,
> @@ -42,6 +43,7 @@
>    /{,var/}run/sssd.pid rw,
> 
>    profile /usr/lib/@{multiarch}/sssd/* {
> +    /var/lib/sss/pubconf/krb5.include.d/** rw,
>      /var/lib/sss/pubconf/krb5.include.d/ rw,
>    }
> 
> 
> 
> -- 
> t

Attachment: signature.asc
Description: Digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to