Hello, this patch removes some rules from the ntpd profile that are already covered by abstractions: - the network rules are in abstractions/nameservice - /etc/gai.conf is also in abstractions/nameservice - @{PROC}/sys/kernel/ngroups_max is in abstractions/base
I found those superfluous rules with aa-cleanup :-) but merged the changes manually to keep comments and rule sorting. @Kshitij: it would be nice if aa-cleanup would have an option to only delete superfluous rules _without_ removing comments and sorting the remaining rules ;-) === modified file 'profiles/apparmor.d/usr.sbin.ntpd' --- profiles/apparmor.d/usr.sbin.ntpd 2013-09-16 22:23:32 +0000 +++ profiles/apparmor.d/usr.sbin.ntpd 2013-09-30 15:36:51 +0000 @@ -27,10 +27,6 @@ capability sys_time, capability sys_nice, - network inet dgram, - network inet stream, - network inet6 stream, - /drift/ntp.drift rwl, /drift/ntp.drift.TEMP rwl, /etc/ntp.conf r, @@ -39,7 +35,6 @@ /etc/ntp/step-tickers r, /etc/ntpd.conf r, /etc/ntpd.conf.tmp r, - /etc/gai.conf r, /tmp/ntp* rwl, /usr/sbin/ntpd rmix, @@ -60,7 +55,6 @@ /{,var/}run/ntpd.pid w, /var/tmp/ntp* rwl, @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/sys/kernel/ngroups_max r, # allow access for when chrooted /var/lib/ntp/@{PROC}/@{pid}/net/if_inet6 r, Regards, Christian Boltz -- [GUI vs. Command-Line] Einen ähnlichen Streit wird es in 20 Jahren auch geben, wenn die "2D-Screenfanatiker" auf die "VR Fans" losgehen und wieder ein Streit vom Zaun bricht der an Sinnfreiheit kaum zu überbieten ist. [Phillip Richdale in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor