Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-refresh
into lp:apparmor-profiles.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230
--
Your team AppArmor Developers is requested to review the proposed merge of
lp:~sdeziel/apparmor-profiles/unbound-refresh into lp:apparmor-profiles.
=== modified file 'ubuntu/16.04/usr.sbin.unbound'
--- ubuntu/16.04/usr.sbin.unbound 2015-10-27 01:49:53 +0000
+++ ubuntu/16.04/usr.sbin.unbound 2016-01-11 21:27:00 +0000
@@ -6,6 +6,10 @@
#include <abstractions/base>
#include <abstractions/nameservice>
+ capability fowner,
+ capability fsetid,
+ capability chown,
+ capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
@@ -15,6 +19,9 @@
# root trust anchor
owner /var/lib/unbound/root.key* rw,
+ # root hints from dns-data-root
+ /usr/share/dns/root.* r,
+
# non-chrooted paths
/etc/unbound/** r,
owner /etc/unbound/*.key* rw,
@@ -32,4 +39,7 @@
/usr/sbin/unbound mr,
/{,var/}run/unbound.pid rw,
+
+ # Unix control socket
+ /{,var/}run/unbound.ctl rw,
}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
