From 3ef8df6ac05057e46720b2eba099bad3416f763b Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Fri, 7 Dec 2018 23:40:19 +0100 Subject: [PATCH 1/2] dnsmasq: Adjust pattern for log files to comply SELinux i.e. move '*' from beginning to before suffix. Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added pattern, which is not compatible with SELinux. As this pattern has been in SELinux since 2011 (with recent change to accept '.log' suffix + logrotate patterns which are not relevant to AppArmor) IMHO it's better to adjust our profile. Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files") Signed-off-by: Petr Vorel --- profiles/apparmor.d/usr.sbin.dnsmasq | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq index fba51259d..f14a370a2 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -45,7 +45,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { /usr/{bin,sbin}/dnsmasq mr, - /var/log/*dnsmasq.log w, + /var/log/dnsmasq*.log w, /usr/share/dnsmasq/ r, /usr/share/dnsmasq/* r, From 49848b90817a923c9cf3f6ee534d02442bf0ff80 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Fri, 7 Dec 2018 23:42:53 +0100 Subject: [PATCH 2/2] dnsmasq: Add pid file used by NetworkManager Signed-off-by: Petr Vorel --- profiles/apparmor.d/usr.sbin.dnsmasq | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq index f14a370a2..a308e3f71 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -96,6 +96,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w, /{,var/}run/NetworkManager/dnsmasq.conf r, /{,var/}run/NetworkManager/dnsmasq.pid w, + /{,var/}run/NetworkManager/NetworkManager.pid w, profile libvirt_leaseshelper { #include