[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-refresh into lp:apparmor-profiles
Seth Arnold
seth.arnold at canonical.com
Tue Jan 12 20:13:11 UTC 2016
Simon, that's great. Nice job :) Since the error message is essentially harmless, and granting the permissions wouldn't actually allow the unlink anyway (since we're doing the chroot too), I think we can also ignore giving these permissions to unbound. We could add "deny" lines to silence the AppArmor denials but that might mask actual problems if unbound is modified in the future to require these privileges.
So, I propose we skip the new capabilities if we can; the new file rules look sane, adding those sounds like a good idea.
Does that sound fair?
Thanks
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230
Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor-profiles/unbound-refresh into lp:apparmor-profiles.
More information about the AppArmor
mailing list