[pkg-apparmor] Bug#813835: abstractions/nameservice: does not allow NetworkManager without resolvconf
Simon McVittie
smcv at debian.org
Fri Feb 5 17:50:25 UTC 2016
Package: apparmor
Version: 2.10-3
Severity: normal
Tags: upstream patch
On systems with NetworkManager but no resolvconf, /etc/resolv.conf
is a symlink to /var/run/NetworkManager/resolv.conf:
lrwxrwxrwx 1 root root 35 Feb 5 17:07 /etc/resolv.conf -> /var/run/NetworkManager/resolv.conf
leading to denials like this:
Feb 05 17:20:09 archetype kernel: audit: type=1400 audit(1454692809.391:306): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/run/NetworkManager/resolv.conf" pid=1032 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=124 ouid=0
I would like to propose this patch:
--- /etc/apparmor.d/abstractions/nameservice 2016-02-02 13:49:52.929534484 +0000
+++ /home/smcv/tmp/nameservice 2016-02-05 17:34:58.929681171 +0000
@@ -35,8 +35,9 @@
/etc/resolv.conf r,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
# /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
- # /etc/resolvconf/run/resolv.conf
- /{,var/}run/resolvconf/resolv.conf r,
+ # /etc/resolvconf/run/resolv.conf. Similarly, if NetworkManager is used
+ # without resolvconf, /etc/resolv.conf is a symlink to its own resolv.conf.
+ /{,var/}run/{resolvconf,NetworkManager}/resolv.conf r,
/etc/resolvconf/run/resolv.conf r,
/etc/samba/lmhosts r,
For a bit of future-proofing, you might also want to allow systemd/resolve
as a third option in the {} group (see systemd-resolved(8) for details).
Regards,
S
More information about the pkg-apparmor-team
mailing list