Hello, Am Dienstag, 7. April 2020, 18:22:10 CEST schrieb Goldwyn Rodrigues: > This is for custom configuration for mdns as defined at: > https://github.com/lathiat/nss-mdns/blob/master/README.md#etcmdnsallow > > Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com> > > diff --git a/profiles/apparmor.d/abstractions/mdns > b/profiles/apparmor.d/abstractions/mdns index 2aa6fff2..9102d27e > 100644 > --- a/profiles/apparmor.d/abstractions/mdns > +++ b/profiles/apparmor.d/abstractions/mdns > @@ -11,6 +11,7 @@ > # mdnsd > /etc/nss_mdns.conf r, > /{,var/}run/mdnsd w, > + /etc/mdns.allow r,
You are late - this was already added a week ago ;-) commit eeac8c11c935edf9eea2bed825af6c57e9fb52e3 (HEAD -> master, origin/master, origin/HEAD) Author: Rich McAllister <Nopublic@address.provided> Date: Tue Mar 31 21:01:21 2020 -0700 abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns In focal users of mdns get denials in apparmor confined applications. An exampel can be found in the original bug below. It seems it is a common pattern, see https://github.com/lathiat/nss-mdns#etcmdnsallow Therefore I'm asking to add /etc/mdns.allow r, to the file /etc/apparmor.d/abstractions/mdns" by default. --- original bug --- Many repetitions of audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0 in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains hosts: files mdns [NOTFOUND=return] myhostname dns and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.) Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow. Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629 Signed-off-by: John Johansen <john.johan...@canonical.com> diff --git a/profiles/apparmor.d/abstractions/mdns b/profiles/apparmor.d/abstractions/mdns index 6cd842cf..89b199be 100644 --- a/profiles/apparmor.d/abstractions/mdns +++ b/profiles/apparmor.d/abstractions/mdns @@ -9,6 +9,7 @@ # ------------------------------------------------------------------ # mdnsd + /etc/mdns.allow r, /etc/nss_mdns.conf r, @{run}/mdnsd w, Regards, Christian Boltz -- Mein Name ist Ratti. Ich bin heute Abend hier hergekommen, weil ich ein Problem habe, über das ich gerne sprechen würde. Ich arbeite seit längerer Zeit mit Linux und habe noch niemals einen Kernel kompiliert. Ich schäme mich deswegen sehr. [Ratti in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor