[apparmor] abstractions/apache2-common - path for stapling-cache
Kees Cook
kees at ubuntu.com
Fri Jun 8 23:48:33 UTC 2018
Hi Christian,
On Sat, Jun 09, 2018 at 12:35:23AM +0200, Christian Boltz wrote:
> Hello,
>
> I just got a private bugreport (as part of a somewhat unrelated
> discussion) that abstractions/apache2-common contains a strange path:
>
> # OCSP stapling
> /var/log/apache2/stapling-cache rw,
> ^^^^
> shouldn't that be /var/run/.. ?
>
> Kees, you added this line in 2e3a871b1 a year ago. Can you please check
> if it's really /var/log/apache2/ in your setup or if the bugreport is
> valid?
The use of the log directory was suggested by this:
https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html
However, in checking my Apache install, it seems the default location is:
/run/lock/apache2/ssl-stapling.$pid
and
/run/lock/apache2/ssl-stapling-refresh.$pid
and in all cases, apache runs with it deleted, so /var/log is likely wrong.
So I think we should use:
/run/lock/apache2/stapling-cache* rw,
-Kees
--
Kees Cook
More information about the AppArmor
mailing list