[apparmor] unbound profile / chown
Simon Deziel
simon.deziel at gmail.com
Sun May 29 19:21:54 UTC 2016
Hi Christian,
On 2016-05-29 11:34 AM, Christian Boltz wrote:
> I just updated my system to the latest unbound profile from
> lp:apparmor-profiles/ubuntu/16.10.
>
> unbound works without problems, but I get chown denials logged.
>
> I'm using unbound 1.5.8, which already includes the patches from
> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
> (at least the changelog says so ;-)
The behavior with 1.5.8 is to attempt chown'ing only if the PID is in
the chroot or if no chroot is used. I must have _wrongly_ assumed that
chroot was the default in Debian/Ubuntu so I removed the deny rule.
> Do we need to explicitely "deny capability chown," in the profile?
Since the original issue remains, I think it should be re-added [1].
In the meantime, you might want to try to the chroot feature :)
chroot: "/var/lib/unbound"
Thank you,
Simon
1:
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-chown/+merge/296005
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160529/4f19127d/attachment.pgp>
More information about the AppArmor
mailing list