diff --git a/profiles/apparmor.d/abstractions/apache2-common b/profiles/apparmor.d/abstractions/apache2-common index 3088c0362..0c29c5bab 100644 --- a/profiles/apparmor.d/abstractions/apache2-common +++ b/profiles/apparmor.d/abstractions/apache2-common @@ -7,9 +7,9 @@ # Allow unconfined processes to send us signals by default signal (receive) peer=unconfined, # Allow apache to send us signals by default - signal (receive) peer=/usr/sbin/apache2, + signal (receive) peer=/usr/{bin,sbin}/apache2, # Allow other hats to signal by default - signal peer=/usr/sbin/apache2//*, + signal peer=/usr/{bin,sbin}/apache2//*, # Allow us to signal ourselves signal peer=@{profile_name}, diff --git a/profiles/apparmor.d/abstractions/dovecot-common b/profiles/apparmor.d/abstractions/dovecot-common index 327cc567d..08dc3311f 100644 --- a/profiles/apparmor.d/abstractions/dovecot-common +++ b/profiles/apparmor.d/abstractions/dovecot-common @@ -14,6 +14,6 @@ deny capability block_suspend, # dovecot's master can send us signals - signal receive peer=/usr/sbin/dovecot, + signal receive peer=/usr/{bin,sbin}/dovecot, /{var/,}run/dovecot/config rw, diff --git a/profiles/apparmor.d/abstractions/ubuntu-helpers b/profiles/apparmor.d/abstractions/ubuntu-helpers index 62d284be2..3f0803f0b 100644 --- a/profiles/apparmor.d/abstractions/ubuntu-helpers +++ b/profiles/apparmor.d/abstractions/ubuntu-helpers @@ -46,9 +46,7 @@ profile sanitized_helper { # Allow exec of anything, but under this profile. Allow transition # to other profiles if they exist. - /{usr/,}bin/* Pixr, - /{usr/,}sbin/* Pixr, - /usr/local/bin/* Pixr, + /{usr/,usr/local/,}{bin,sbin}/* Pixr, # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* /usr/{,local/}lib*/{,**/}* Pixr, diff --git a/profiles/apparmor.d/sbin.klogd b/profiles/apparmor.d/sbin.klogd index f59db7a8b..f2ab87ca2 100644 --- a/profiles/apparmor.d/sbin.klogd +++ b/profiles/apparmor.d/sbin.klogd @@ -11,7 +11,7 @@ #include -profile klogd /{usr/,}sbin/klogd { +profile klogd /{usr/,}{bin,sbin}/klogd { #include capability sys_admin, # for backward compatibility with kernel <= 2.6.37 @@ -21,10 +21,10 @@ profile klogd /{usr/,}sbin/klogd { /boot/System.map* r, @{PROC}/kmsg r, - @{PROC}/kallsyms r, + @{PROC}/kallsyms r, /dev/tty rw, - /{usr/,}sbin/klogd rmix, + /{usr/,}{bin,sbin}/klogd rmix, /var/log/boot.msg rwl, /{,var/}run/klogd.pid krwl, /{,var/}run/klogd/klogd.pid krwl, diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng index 240aacc61..b179b3e6c 100644 --- a/profiles/apparmor.d/sbin.syslog-ng +++ b/profiles/apparmor.d/sbin.syslog-ng @@ -15,7 +15,7 @@ #define this to be where syslog-ng is chrooted @{CHROOT_BASE}="" -profile syslog-ng /{usr/,}sbin/syslog-ng { +profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { #include #include #include @@ -46,7 +46,7 @@ profile syslog-ng /{usr/,}sbin/syslog-ng { @{PROC}/kmsg r, /etc/hosts.deny r, /etc/hosts.allow r, - /{usr/,}sbin/syslog-ng mr, + /{usr/,}{bin,sbin}/syslog-ng mr, /sys/devices/system/cpu/online r, /usr/share/syslog-ng/** r, /var/lib/syslog-ng/syslog-ng-?????.qf rw, diff --git a/profiles/apparmor.d/sbin.syslogd b/profiles/apparmor.d/sbin.syslogd index 56af397bb..d8f65d65f 100644 --- a/profiles/apparmor.d/sbin.syslogd +++ b/profiles/apparmor.d/sbin.syslogd @@ -11,7 +11,7 @@ #include -profile syslogd /{usr/,}sbin/syslogd { +profile syslogd /{usr/,}{bin,sbin}/syslogd { #include #include #include @@ -32,7 +32,7 @@ profile syslogd /{usr/,}sbin/syslogd { /dev/tty* w, /dev/xconsole rw, /etc/syslog.conf r, - /{usr/,}sbin/syslogd rmix, + /{usr/,}{bin,sbin}/syslogd rmix, /var/log/** rw, /{,var/}run/syslogd.pid krwl, /{,var/}run/utmp rw, diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda index 2041d5bc7..d601d503c 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda @@ -29,14 +29,14 @@ /run/dovecot/auth-userdb rw, /usr/bin/doveconf mrix, /usr/lib/dovecot/dovecot-lda mrix, - /usr/sbin/sendmail Cx, + /usr/{bin,sbin}/sendmail Cx, /usr/share/dovecot/protocols.d/ r, # Site-specific additions and overrides. See local/README for details. #include - profile /usr/sbin/sendmail flags=(attach_disconnected) { + profile /usr/{bin,sbin}/sendmail flags=(attach_disconnected) { # this profile is based on the usr.sbin.sendmail profile in extras # and should support both postfix' and sendmail's sendmail binary @@ -69,13 +69,13 @@ /usr/lib/postfix/master Px, /usr/lib/postfix/showq Px, /usr/lib/postfix/smtpd Px, - /usr/sbin/postalias Px, - /usr/sbin/postdrop Px, - /usr/sbin/postfix Px, - /usr/sbin/postqueue Px, - /usr/sbin/sendmail mrix, - /usr/sbin/sendmail.postfix mrix, - /usr/sbin/sendmail.sendmail mrix, + /usr/{bin,sbin}/postalias Px, + /usr/{bin,sbin}/postdrop Px, + /usr/{bin,sbin}/postfix Px, + /usr/{bin,sbin}/postqueue Px, + /usr/{bin,sbin}/sendmail mrix, + /usr/{bin,sbin}/sendmail.postfix mrix, + /usr/{bin,sbin}/sendmail.sendmail mrix, /{var/,}run/sendmail.pid rwl, /{var/,}run/sm-client.pid rwl, /{var/,}run/utmp rw, diff --git a/profiles/apparmor.d/usr.sbin.apache2 b/profiles/apparmor.d/usr.sbin.apache2 index 25a147f28..e82733cd7 100644 --- a/profiles/apparmor.d/usr.sbin.apache2 +++ b/profiles/apparmor.d/usr.sbin.apache2 @@ -1,7 +1,7 @@ # Author: Marc Deslauriers #include -/usr/sbin/apache2 { +/usr/{bin,sbin}/apache2 flags=(attach_disconnected) { # This profile is completely permissive. # It is designed to target specific applications using mod_apparmor, diff --git a/profiles/apparmor.d/usr.sbin.avahi-daemon b/profiles/apparmor.d/usr.sbin.avahi-daemon index fa0fb3c94..3d1b1b8d6 100644 --- a/profiles/apparmor.d/usr.sbin.avahi-daemon +++ b/profiles/apparmor.d/usr.sbin.avahi-daemon @@ -1,5 +1,5 @@ #include -/usr/sbin/avahi-daemon { +/usr/{bin,sbin}/avahi-daemon { #include #include #include @@ -20,7 +20,7 @@ /etc/avahi/services/ r, /etc/avahi/services/*.service r, @{PROC}/@{pid}/fd/ r, - /usr/sbin/avahi-daemon mr, + /usr/{bin,sbin}/avahi-daemon mr, /usr/share/avahi/introspection/*.introspect r, /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, /{,var/}run/avahi-daemon/ w, diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq index a53bf4e4c..c303a49bc 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -12,7 +12,7 @@ @{TFTP_DIR}=/var/tftp /srv/tftpboot #include -/usr/sbin/dnsmasq flags=(attach_disconnected) { +profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { #include #include #include @@ -26,8 +26,8 @@ network inet raw, network inet6 raw, - signal (receive) peer=/usr/sbin/libvirtd, - ptrace (readby) peer=/usr/sbin/libvirtd, + signal (receive) peer=/usr/{bin,sbin}/libvirtd, + ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, owner /dev/tty rw, @@ -40,7 +40,7 @@ /etc/NetworkManager/dnsmasq.d/ r, /etc/NetworkManager/dnsmasq.d/* r, - /usr/sbin/dnsmasq mr, + /usr/{bin,sbin}/dnsmasq mr, /{,var/}run/*dnsmasq*.pid w, /{,var/}run/dnsmasq-forwarders.conf r, diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot index e3a85fa02..4b0fd04f6 100644 --- a/profiles/apparmor.d/usr.sbin.dovecot +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -12,7 +12,7 @@ #include -/usr/sbin/dovecot flags=(attach_disconnected) { +/usr/{bin,sbin}/dovecot flags=(attach_disconnected) { #include #include #include @@ -55,7 +55,7 @@ /usr/lib/dovecot/ssl-build-param rix, /usr/lib/dovecot/ssl-params mrPx, /usr/lib/dovecot/stats Px, - /usr/sbin/dovecot mrix, + /usr/{bin,sbin}/dovecot mrix, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, /var/lib/dovecot/ w, diff --git a/profiles/apparmor.d/usr.sbin.identd b/profiles/apparmor.d/usr.sbin.identd index baca3012a..b19a21ba0 100644 --- a/profiles/apparmor.d/usr.sbin.identd +++ b/profiles/apparmor.d/usr.sbin.identd @@ -11,7 +11,7 @@ #include -/usr/sbin/identd { +/usr/{bin,sbin}/identd { #include #include capability net_bind_service, @@ -20,7 +20,7 @@ /etc/identd.conf r, /etc/identd.key r, /etc/identd.pid w, - /usr/sbin/identd rmix, + /usr/{bin,sbin}/identd rmix, @{PROC}/net/tcp r, @{PROC}/net/tcp6 r, /{,var/}run/identd.pid w, diff --git a/profiles/apparmor.d/usr.sbin.mdnsd b/profiles/apparmor.d/usr.sbin.mdnsd index e470808b4..4bf275e45 100644 --- a/profiles/apparmor.d/usr.sbin.mdnsd +++ b/profiles/apparmor.d/usr.sbin.mdnsd @@ -11,7 +11,7 @@ #include -/usr/sbin/mdnsd { +/usr/{bin,sbin}/mdnsd { #include #include #include @@ -24,7 +24,7 @@ network netlink dgram, - /usr/sbin/mdnsd rmix, + /usr/{bin,sbin}/mdnsd rmix, @{PROC}/net/ r, @{PROC}/net/unix r, diff --git a/profiles/apparmor.d/usr.sbin.nmbd b/profiles/apparmor.d/usr.sbin.nmbd index 976401b13..d0c4cf3d1 100644 --- a/profiles/apparmor.d/usr.sbin.nmbd +++ b/profiles/apparmor.d/usr.sbin.nmbd @@ -1,6 +1,6 @@ #include -/usr/sbin/nmbd { +/usr/{bin,sbin}/nmbd { #include #include #include @@ -9,7 +9,7 @@ @{PROC}/sys/kernel/core_pattern r, - /usr/sbin/nmbd mr, + /usr/{bin,sbin}/nmbd mr, /var/cache/samba/gencache.tdb rwk, /var/{cache,lib}/samba/browse.dat* rw, diff --git a/profiles/apparmor.d/usr.sbin.nscd b/profiles/apparmor.d/usr.sbin.nscd index 46d3e2b36..c8dfd19f6 100644 --- a/profiles/apparmor.d/usr.sbin.nscd +++ b/profiles/apparmor.d/usr.sbin.nscd @@ -10,7 +10,7 @@ # ------------------------------------------------------------------ #include -/usr/sbin/nscd { +/usr/{bin,sbin}/nscd { #include #include #include @@ -23,7 +23,7 @@ /etc/netgroup r, /etc/nscd.conf r, - /usr/sbin/nscd rmix, + /usr/{bin,sbin}/nscd rmix, /{,var/}run/.nscd_socket wl, /{,var/}run/nscd/ rw, /{,var/}run/nscd/db* rwl, diff --git a/profiles/apparmor.d/usr.sbin.ntpd b/profiles/apparmor.d/usr.sbin.ntpd index 644d8da39..6e9e08136 100644 --- a/profiles/apparmor.d/usr.sbin.ntpd +++ b/profiles/apparmor.d/usr.sbin.ntpd @@ -11,7 +11,7 @@ #include #include -/usr/sbin/ntpd flags=(attach_disconnected) { +/usr/{bin,sbin}/ntpd flags=(attach_disconnected) { #include #include #include @@ -40,7 +40,7 @@ /tmp/ntp* rwl, /{usr/,usr/local/,}{s,}bin/ r, - /usr/sbin/ntpd rmix, + /usr/{bin,sbin}/ntpd rmix, /var/lib/ntp/drift rwl, /var/lib/ntp/drift.TEMP rwl, /var/lib/ntp/drift/driftfile rw, diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd index a9d8d330d..4ce469b4d 100644 --- a/profiles/apparmor.d/usr.sbin.smbd +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -1,6 +1,6 @@ #include -/usr/sbin/smbd { +/usr/{bin,sbin}/smbd { #include #include #include @@ -37,8 +37,8 @@ /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, /usr/lib/@{multiarch}/samba/**/ r, /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, - /usr/sbin/smbd mr, - /usr/sbin/smbldap-useradd Px, + /usr/{bin,sbin}/smbd mr, + /usr/{bin,sbin}/smbldap-useradd Px, /var/cache/samba/** rwk, /var/{cache,lib}/samba/printing/printers.tdb mrw, /var/lib/samba/** rwk, diff --git a/profiles/apparmor.d/usr.sbin.smbldap-useradd b/profiles/apparmor.d/usr.sbin.smbldap-useradd index a2eb1c17f..7b37bdde3 100644 --- a/profiles/apparmor.d/usr.sbin.smbldap-useradd +++ b/profiles/apparmor.d/usr.sbin.smbldap-useradd @@ -1,7 +1,7 @@ # Last Modified: Tue Jan 3 00:17:40 2012 #include -/usr/sbin/smbldap-useradd { +/usr/{bin,sbin}/smbldap-useradd { #include #include #include @@ -13,8 +13,8 @@ /etc/shadow r, /etc/smbldap-tools/smbldap.conf r, /etc/smbldap-tools/smbldap_bind.conf r, - /usr/sbin/smbldap-useradd r, - /usr/sbin/smbldap_tools.pm r, + /usr/{bin,sbin}/smbldap-useradd r, + /usr/{bin,sbin}/smbldap_tools.pm r, /var/log/samba/log.smbd w, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/usr.sbin.traceroute b/profiles/apparmor.d/usr.sbin.traceroute index ac58aa2fe..25b32e621 100644 --- a/profiles/apparmor.d/usr.sbin.traceroute +++ b/profiles/apparmor.d/usr.sbin.traceroute @@ -10,7 +10,7 @@ # ------------------------------------------------------------------ #include -/usr/{sbin/traceroute,bin/traceroute.db} { +/usr/{{bin,sbin}/traceroute,bin/traceroute.db} { #include #include #include @@ -21,7 +21,7 @@ network inet raw, network inet6 raw, - /usr/sbin/traceroute mrix, + /usr/{bin,sbin}/traceroute mrix, /usr/bin/traceroute.db mrix, @{PROC}/net/route r, @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd index afe54253f..f80aeee6c 100644 --- a/profiles/apparmor.d/usr.sbin.winbindd +++ b/profiles/apparmor.d/usr.sbin.winbindd @@ -1,6 +1,6 @@ #include -/usr/sbin/winbindd { +/usr/{bin,sbin}/winbindd { #include #include #include @@ -24,7 +24,7 @@ /usr/lib*/samba/idmap/*.so mr, /usr/lib*/samba/nss_info/*.so mr, /usr/lib*/samba/pdb/*.so mr, - /usr/sbin/winbindd mr, + /usr/{bin,sbin}/winbindd mr, /var/cache/krb5rcache/* rw, /var/cache/samba/*.tdb rwk, /var/log/samba/log.winbindd rw,