[Pkg-dns-devel] Bug#882731: apparmor policy only accepts root.key in /var/lib/unbound
Simon Deziel
simon at sdeziel.info
Mon Nov 27 14:30:37 UTC 2017
On 2017-11-27 09:22 AM, Peter Palfrader wrote:
> On Mon, 27 Nov 2017, Simon Deziel wrote:
>
>> On 2017-11-26 03:31 AM, Peter Palfrader wrote:
>>> The apparmor policy for unbound allows access to
>>> /var/lib/unbound/root.key*, but it does not allow access to any
>>> other dynamically updated key the admin might have put there,
>>> such as debian.org.key on DSA infrastructure.
>>>
>>> Please allow access to all key files.
>>
>> Please see the attached patch.
>
>> # chrooted paths
>> /var/lib/unbound/** r,
>> + owner /var/lib/unbound/*.key* rw,
>> owner /var/lib/unbound/**/*.key* rw,
>
> This would allow /var/lib/unbound/root.key "twice", once via root.key,
> once via *.key.
Indeed, this patch should be better, thanks Peter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug882731-v2.diff
Type: text/x-patch
Size: 677 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20171127/cba2d1e8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20171127/cba2d1e8/attachment.sig>
More information about the pkg-dns-devel
mailing list