FTR this was already added upstream in commit 84cd523d8c which is part
of AppArmor v2.12. So i'll be fixed whenever Ubuntu upgrades to 2.12 :)
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1751402
Title:
abstraction/nameservice should include allow access to
/var/lib/sss/mc/initgroups
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
New
Bug description:
From
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/comments/4:
[2794367.925181] apparmor="DENIED" operation="open"
profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111
comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
The unbound AA profile includes abstractions/nameservice which already
has some rules for files under /var/lib/sss/mc. I think that adding
"/var/lib/sss/mc/initgroups r" to abstractions/nameservice would make
sense:
$ diff -Naur abstractions/nameservice.orig abstractions/nameservice
--- abstractions/nameservice.orig 2018-02-24 02:19:24.310884300 +0000
+++ abstractions/nameservice 2018-02-24 02:20:10.578785312 +0000
@@ -30,6 +30,7 @@
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
/var/lib/sss/mc/passwd r,
+ /var/lib/sss/mc/initgroups r,
/var/lib/sss/pipes/nss rw,
/etc/resolv.conf r,
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1751402/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
