File apparmor-profiles-sshd-fix of Package apparmor-profiles

Overview Repositories Revisions Requests Users Attributes Meta

File apparmor-profiles-sshd-fix of Package apparmor-profiles

From: Jeff Mahoney <jeffm@suse.com>
Subject: Fix for sshd profile
References: bnc#457072

Without this patch, sshd won't work in enforce mode.

libselinux accesses /proc/filesystems to determine if it's enabled
 bash won't execute
 audit_control is probably from libselinux too
---
 apparmor.d/abstractions/wutmp          |    2 +-
 apparmor/profiles/extras/usr.sbin.sshd |    5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

--- a/apparmor.d/abstractions/wutmp
+++ b/apparmor.d/abstractions/wutmp
@@ -14,5 +14,5 @@
   # some services update wtmp, utmp, and lastlog with per-user
   # connection information
   /var/log/lastlog  rw,
-  /var/log/wtmp     w,
+  /var/log/wtmp     wk,
   /var/run/utmp     rwk,
--- a/apparmor/profiles/extras/usr.sbin.sshd
+++ b/apparmor/profiles/extras/usr.sbin.sshd
@@ -30,6 +30,8 @@
   capability kill,
   capability setgid,
   capability setuid,
+  capability audit_control,
+  capability sys_ptrace,
 
   /dev/ptmx rw,
   /dev/urandom r,
@@ -44,11 +46,12 @@
 
   @{PROC}/[0-9]*/fd/ r,
   @{PROC}/[0-9]*/loginuid w,
+  @{PROC}/filesystems r,
 
 # should only be here for use in non-change-hat openssh
 # duplicated from EXEC hat
   /bin/ash Ux,
-  /bin/bash Ux,
+  /bin/bash rUx,
   /bin/bash2 Ux,
   /bin/bsh Ux,
   /bin/csh Ux,

Places

File apparmor-profiles-sshd-fix of Package apparmor-profiles

Places