Original openSUSE changelog entry:
Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de
- Splitted ldap related things from nameservice into separate
profile and added some missing paths (bnc#662761)
- fix permissions for additional-log-sockets.conf (the comma in {var/,}
was at the wrong place, which broke the /var/run/ case)
- add read permissions for /sys/devices/system/cpu/online
(that was even new for Peter, but I trust him not to post faked
audit.log lines ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
Subject: apparmor-profiles: Add samba config files
References: bnc#679182 bnc#666450
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
- updated to match trunk
- added changed path to nmbd profile (/var/cache/samba has moved to
/var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
For backward compability, it also allows /var/spool/samba.
- Note: The smbd profile already contains both locations.
by Christian Boltz <apparmor@cboltz.de>
updated according to the comments from Steve Beattie
by Christian Boltz <apparmor@cboltz.de>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- allow /var/spool/mail, not only the /var/mail symlink
- allow @{HOME}/Mail/
- allow capability fsetid, read access to /etc/lsb-release and
SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
References:
- dovecot: Added support for /var/spool/mail (bnc#691072)
- Updated dovecot profile (bnc#681267).
Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
updated to match trunk by Christian Boltz <apparmor@cboltz.de>
Change compared to the patch posted to the ML:
- link rule instead of adding l permissions for /var/lib/dovecot and
/var/run/dovecot (as proposed by John Johansen)
Acked-By: John Johansen <john.johansen@canonical.com> on IRC
to switch to a non-root user. unscd is installed as /usr/sbin/nscd
at least at openSUSE.
Original changelog entry from unscd package:
Mon Sep 7 17:30:36 CEST 2009 - pbaudis[at]suse.cz
- Provide the /etc/apparmor.d/usr.sbin.nscd file and make it allow
for change to the nobody user [bnc#535467]
Currently the nscd package from glibc and the unscd package both contain
a usr.sbin.nscd profile which needs to maintained/updated manually.
With this patch, the profile could be moved back to the
apparmor-profiles package.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
profiles.
It also adds a comment to the klogd profile that capability sys_admin is
only needed for backward compatibility with older kernels.
Acked-by: John Johansen <john.johansen@canonical.com>
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Updated to match master by
Christian Boltz <apparmor@cboltz.de>
Updated for systemd (/{,var/},run/ instead of /var/run/) by
Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
(final confirmation on IRC in #apparmor)
updated to match master by
Christian Boltz <apparmor@cboltz.de>
updated to work with systemd (/{,var/}run/ instead of /var/run)
Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: profiles: Add openssl abstraction
References: bnc#623886
Profiles that use openssl have been adding the openssl files piecemeal.
This patch creates a new openssl abstraction that can be inherited by
all profiles that use it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Patch for
- profiles/apparmor.d/abstractions/ssl_certs
- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork (second chunk)
updated by Christian Boltz <apparmor@cboltz.de>
(didn't apply to trunk)
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Copyright header in profiles/apparmor.d/abstractions/openssl added by
Christian Boltz <apparmor@cboltz.de>
Subject: profile: ntpd -N needs sys_nice
References: bnc#657054
ntpd -N allows the administrator to increase or decrease priority of the
ntp server. Since the profile doesn't allow it, the operation is denied.
This patch adds support for that operation.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Johansen, use 'ix' instead of 'Pix' for dbus-launch since if someone happens to
define a profile for dbus-launch and it is loosely confined, then users of this
abstraction could end up launching a program via dbus-launch in a less confined
manner than intended. This sort of thing should not be possible via an
abstraction (and people are always free to profile using Pix if they prefer).
Steve Langasek <steve.langasek@linaro.org>,
Steve Beattie <sbeattie@ubuntu.com>
Description: add multiarch support to abstractions
Bug-Ubuntu: https://bugs.launchpad.net/bugs/736870
This patch add multiarch support for common shared library locations, as
well as a tunables file and directory to ease adding addiotional
multiarch paths.
Bug: https://launchpad.net/bugs/736870
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
fixes the profile.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- allow net_admin capability for DHCP server
- allow net_raw and network inet raw for ICMP pings when used as a DHCP
server
- allow read and write access to libvirt pid files for dnsmasq
See the FAQ in the dnsmasq source for details. This fixes
https://launchpad.net/bugs/697239
