[Pkg-dns-devel] Bug#882731: apparmor policy only accepts root.key in /var/lib/unbound
Peter Palfrader
weasel at debian.org
Mon Nov 27 14:22:42 UTC 2017
On Mon, 27 Nov 2017, Simon Deziel wrote:
> On 2017-11-26 03:31 AM, Peter Palfrader wrote:
> > The apparmor policy for unbound allows access to
> > /var/lib/unbound/root.key*, but it does not allow access to any
> > other dynamically updated key the admin might have put there,
> > such as debian.org.key on DSA infrastructure.
> >
> > Please allow access to all key files.
>
> Please see the attached patch.
> # chrooted paths
> /var/lib/unbound/** r,
> + owner /var/lib/unbound/*.key* rw,
> owner /var/lib/unbound/**/*.key* rw,
This would allow /var/lib/unbound/root.key "twice", once via root.key,
once via *.key.
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
More information about the pkg-dns-devel
mailing list