PDA

View Full Version : SLES 12 SP1 AppArmor shared profiles



D8TA
21-Apr-2016, 12:39
In the past with SLES 11 sp3 and sp4 I could go into AppArmor and there were some shared/community profiles available that others had created to help provide a "sample" for applications I was looking for. I am updating a BIND server from SLES 11sp4 to SLES 12sp1 and when I attempted to create the AppArmor profile that option wasn't there. In fact, the AppArmor Yast settings are very small when compared to previous version. I looked at the SLES 11sp4 AppArmor profile and alot appears to have changed with SLES 12sp1 so I am looking for recommendations on setting up a good AppArmor profile for BIND? This is just going to be used as a forwarder to Cisco openDNS service but want to secure this box, specifically AppArmor the named service.

Here is what I have from SLES 11sp4

# Last Modified: Mon Oct 17 12:17:06 2011
# $Id: usr.sbin.named 559 2007-04-10 23:05:33Z agruen $
#
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/xad>

capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,


/** r,
/dyn/** rwl,
/slave/* rw,
/tmp/DNS_* rw,
/usr/bin/dnskeygen mix,
/usr/bin/dnsquery mix,
/usr/sbin/named mrix,
/usr/sbin/named-xfer mix,
/var/lib/named/** rwl,
/var/named/** rwl,
/var/opt/novell/xad/ds/krb5kdc/krb5.keytab r,
/var/run/named.pid wl,
/var/run/named/named.pid wl,
/var/run/ndc wl,
/var/tmp/DNS_* rw,

}

When I look at my SLES 12sp1 server some of these files are not present. Just looking for a basic AppArmor profile for named. I see plenty for Ubuntu but not sure if those would work. I am guessing not since the file locations are different.

Automatic reply
27-Apr-2016, 05:30
D8TA,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- Open a service request: https://www.suse.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot..

Good luck!

Your SUSE Forums Team
http://forums.suse.com