"deny capability chown" was initially added for the PID file, see [1].
Failing to chown the PID or the control socket is only logged at higher
log level specifically to not generate noise when the chown capability
isn't available, see [2,3]. The "capability fowner" was removed based on

Currently, the unbound control socket is only accessible to root
requiring one to use "sudo unbound-control" (aka the bug at hand):

  $ ll /run/unbound.ctl 
  srw-rw---- 1 root root 0 Feb 23 18:40 /run/unbound.ctl=

Re-introducing the chown/fowner caps would give us:

  $ ll /run/unbound.ctl
  srw-rw---- 1 unbound unbound 0 Feb 23 18:38 /run/unbound.ctl=

which would fix the bug at the expense of those additional caps.

I'd vote in favor of re-introducing the capability for the sake of not
having Apparmor "getting in the way". If that's OK with everyone, I'd
send the patch to Debian as well.

2: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
3: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1332
4: https://lists.ubuntu.com/archives/apparmor/2016-January/009278.html

** Bug watch added: www.nlnetlabs.nl/bugs-script/ #734

** Bug watch added: www.nlnetlabs.nl/bugs-script/ #1332

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  unbound-control local socket  broken by apparmor

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to