Hi, On Sat, Jan 02, 2016 at 03:50:00PM +0100, Christian Boltz wrote: > openssh-6.6p1 (on openSUSE Tumbleweed, the rolling release)
I have: OpenSSH_7.1p1 Debian-5, OpenSSL 1.0.2e 3 Dec 2015 (on Debian Stretch) and: OpenSSH_6.7p1 Debian-5, OpenSSL 1.0.1k 8 Jan 2015 (on Debian Jessie) [ on 6.7 I do not need cap net_admin from my initial patch, though ] > The configuration of OpenSSH and/or PAM might also be relevant. True, Debian defaults here. > > > + @{PROC}/cmdline r, > > > + @{PROC}/1/environ r, > > > > While I also get denials for these two on my Stretch VM, I did not add > > them in my initial version, as ssh seemed to work fine without and I > > really see no reason why the kernel commandline or the environment of > > the init process should matter to the ssh daemon. > > Interesting point, but then I'd at least add deny rules for them to > silence the logging. Sound sane, yes. > Patch sent for review upstream. The review might need a while thanks to > some[tm] [1] pending patches ;-) Cool, can you drop me the link to the review? Did not find it on lp:apparmor. Grüße Evgeni