Original openSUSE changelog entry:
Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de
- Splitted ldap related things from nameservice into separate
profile and added some missing paths (bnc#662761)
- fix permissions for additional-log-sockets.conf (the comma in {var/,}
was at the wrong place, which broke the /var/run/ case)
- add read permissions for /sys/devices/system/cpu/online
(that was even new for Peter, but I trust him not to post faked
audit.log lines ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
Subject: apparmor-profiles: Add samba config files
References: bnc#679182 bnc#666450
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
- updated to match trunk
- added changed path to nmbd profile (/var/cache/samba has moved to
/var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
For backward compability, it also allows /var/spool/samba.
- Note: The smbd profile already contains both locations.
by Christian Boltz <apparmor@cboltz.de>
updated according to the comments from Steve Beattie
by Christian Boltz <apparmor@cboltz.de>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- allow /var/spool/mail, not only the /var/mail symlink
- allow @{HOME}/Mail/
- allow capability fsetid, read access to /etc/lsb-release and
SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
References:
- dovecot: Added support for /var/spool/mail (bnc#691072)
- Updated dovecot profile (bnc#681267).
Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
updated to match trunk by Christian Boltz <apparmor@cboltz.de>
Change compared to the patch posted to the ML:
- link rule instead of adding l permissions for /var/lib/dovecot and
/var/run/dovecot (as proposed by John Johansen)
Acked-By: John Johansen <john.johansen@canonical.com> on IRC
to switch to a non-root user. unscd is installed as /usr/sbin/nscd
at least at openSUSE.
Original changelog entry from unscd package:
Mon Sep 7 17:30:36 CEST 2009 - pbaudis[at]suse.cz
- Provide the /etc/apparmor.d/usr.sbin.nscd file and make it allow
for change to the nobody user [bnc#535467]
Currently the nscd package from glibc and the unscd package both contain
a usr.sbin.nscd profile which needs to maintained/updated manually.
With this patch, the profile could be moved back to the
apparmor-profiles package.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
profiles.
It also adds a comment to the klogd profile that capability sys_admin is
only needed for backward compatibility with older kernels.
Acked-by: John Johansen <john.johansen@canonical.com>
in merging in the opensuse fixes to the dhclient profile. It does so
by merging them, using the profile for dhclient-script if it exists
and inheriting dhclient's profile if it does not.
Subject: Fix for sshd profile
References: bnc#457072
Without this patch, sshd won't work in enforce mode.
libselinux accesses /proc/filesystems to determine if it's enabled
bash won't execute
audit_control is probably from libselinux too
Updated by Christian Boltz <apparmor@cboltz.de>:
- add /proc/*/oom_adj and oom_score_adj rw
- add /var/log/btmp r
- add /var/log/lastlog k
- removed capability sys_ptrace - doesn't seem to be needed
- changed all login shells to rUx, not only bash
- removed /proc/filesystems (already part of abstractions/base)
Acked-By: John Johansen <john.johansen@canonical.com>
with the following note:
ACK because I don't see a choice right now but for the 3.0 release
(next year) I'll ask you to retest and add newer audit controls.
Changed /var/run/cups/** rw, to
/{,var/}run/cups/ rw,
/{,var/}run/cups/** rw,
as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Updated to match master by
Christian Boltz <apparmor@cboltz.de>
Updated for systemd (/{,var/},run/ instead of /var/run/) by
Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
(final confirmation on IRC in #apparmor)
updated to match master by
Christian Boltz <apparmor@cboltz.de>
updated to work with systemd (/{,var/}run/ instead of /var/run)
Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: dhcpd: Fix apparmor profile
References: bnc#692428
This patch adds the network rules needed, corrects the path to dhcpd.leases,
and adds the path for TSIG DNS keys.
Reported-by: Andrew Beames <suseforum@roocomputing.co.uk>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
updated to match trunk by
Christian Boltz <apparmor@cboltz.de>
updated to use
/var/lib/dhcp/{db/,}dhcpd.leases* rwl,
(instead of just /var/lib/dhcp/db/dhcpd.leases* rwl) to keep the profile
Ubuntu-compatible as requested by Steve Beattie.
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: profiles: Add openssl abstraction
References: bnc#623886
Profiles that use openssl have been adding the openssl files piecemeal.
This patch creates a new openssl abstraction that can be inherited by
all profiles that use it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Patch for
- profiles/apparmor.d/abstractions/ssl_certs
- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork (second chunk)
updated by Christian Boltz <apparmor@cboltz.de>
(didn't apply to trunk)
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Copyright header in profiles/apparmor.d/abstractions/openssl added by
Christian Boltz <apparmor@cboltz.de>
Subject: profile: ntpd -N needs sys_nice
References: bnc#657054
ntpd -N allows the administrator to increase or decrease priority of the
ntp server. Since the profile doesn't allow it, the operation is denied.
This patch adds support for that operation.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
