mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 17:31:01 +01:00
b77116e6af
Also adjust the signal rules in the dovecot-common and apache2-common
abstractions to match the profile names, and to really do that
(peer=...{bin,sbin}... didn't work, the correct syntax would have been
peer=...\{bin,sbin\}...)
This fixes the regression introduced by !149 / commit
4200932d8f
34 lines
858 B
Text
34 lines
858 B
Text
# vim:syntax=apparmor
|
|
|
|
# This file contains basic permissions for Apache and every vHost
|
|
|
|
#include <abstractions/nameservice>
|
|
|
|
# Allow unconfined processes to send us signals by default
|
|
signal (receive) peer=unconfined,
|
|
# Allow apache to send us signals by default
|
|
signal (receive) peer=apache2,
|
|
# Allow other hats to signal by default
|
|
signal peer=apache2//*,
|
|
# Allow us to signal ourselves
|
|
signal peer=@{profile_name},
|
|
|
|
# Apache
|
|
network inet stream,
|
|
network inet6 stream,
|
|
# apache manual, error pages and icons
|
|
/usr/share/apache2/** r,
|
|
|
|
# changehat itself
|
|
@{PROC}/@{pid}/attr/current rw,
|
|
|
|
# htaccess files - for what ever it is worth
|
|
/**/.htaccess r,
|
|
|
|
/dev/urandom r,
|
|
|
|
# sasl-auth
|
|
/run/saslauthd/mux rw,
|
|
|
|
# OCSP stapling
|
|
/{var/,}run/lock/apache2/stapling-cache* rw,
|