[apparmor] [PATCH] Update nscd profile to add /etc/netconfig

Christian Boltz apparmor at cboltz.de
Wed Oct 18 15:22:52 UTC 2017 

Hello,

Am Mittwoch, 18. Oktober 2017, 16:10:20 CEST schrieb Goldwyn Rodrigues:
> This is required for starting nscd.
> /etc/netconfig is required by the tirpc library which nscd uses.
> nscd[1130]: rpc: failed to open /etc/netconfig
> 
> References: https://bugzilla.suse.com/show_bug.cgi?id=1062244
> 
> Signed-off-by: Goldwyn Rodrigues <rgoldwyn at suse.com>
> ---
> diff --git a/profiles/apparmor.d/usr.sbin.nscd
> b/profiles/apparmor.d/usr.sbin.nscd index 46d3e2b3..987f542e 100644
> --- a/profiles/apparmor.d/usr.sbin.nscd
> +++ b/profiles/apparmor.d/usr.sbin.nscd
> @@ -23,6 +23,7 @@
> 
>    /etc/netgroup r,
>    /etc/nscd.conf r,
> +  /etc/netconfig r,
>    /usr/sbin/nscd rmix,
>    /{,var/}run/.nscd_socket wl,
>    /{,var/}run/nscd/ rw,

The funny thing is that I submitted a similar patch to Tumbleweed 
yesterday after a discussion on the opensuse-factory mailinglist:
    https://build.opensuse.org/request/show/534597

The mailinglist discussion indicates that

    every package linked against libtirpc or loading a shared library or
    plugin linked against libtirpc needs to be able to read /etc/netconfig.
    So, if somebody enables NIS on his system, every application could
    end in the situation to need access to that file.

(that's from Thorsten Kukuk, 
https://lists.opensuse.org/opensuse-factory/2017-10/msg00401.html )

rpm -e --test libtirpc3   lists several packages, for example nfs-client,
ypbind, rpcbind, autofs and xinetd.

Therefore I propose the following alternative patch that adds
/etc/netconfig to abstractions/nameservice instead.

(If you think I should use another comment in the patch, tell me. I'm
not familiar with NIS etc., so there are chances that the comment isn't
perfect ;-)


I propose this patch for 2.9..trunk.


+=== modified file 'profiles/apparmor.d/abstractions/nameservice'
+--- profiles/apparmor.d/abstractions/nameservice	2017-09-15 20:47:26 +0000
++++ profiles/apparmor.d/abstractions/nameservice	2017-10-17 21:29:36 +0000
+@@ -21,6 +21,9 @@
+   /etc/passwd             r,
+   /etc/protocols          r,
+ 
++  # libtirpc (used for NIS/YP login) needs this
++  /etc/netconfig r,
++
+   # When using libnss-extrausers, the passwd and group files are merged from
+   # an alternate path
+   /var/lib/extrausers/group  r,


Regards,

Christian Boltz
-- 
> Wenn mir jemand im Klartext (deutsch oder schwäbisch) schreiben könnte
Om's scsi_mod musch di et kimmra, des kå modprobe en dr
/lib/modules/`uname -r`/modules.dep, die vom depmod gschriba wird,
selbr rausfenda.   [> Ute Ferlein und David Haller in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171018/9115f32e/attachment.sig>

More information about the AppArmor mailing list