On 2017-11-26 03:31 AM, Peter Palfrader wrote: > The apparmor policy for unbound allows access to > /var/lib/unbound/root.key*, but it does not allow access to any > other dynamically updated key the admin might have put there, > such as debian.org.key on DSA infrastructure. > > Please allow access to all key files.
Please see the attached patch. Regards, Simon
commit 533ad2381f6f22ae829ec171a1ed7632e2c644b8 (HEAD -> bug882731)
Author: Simon Deziel <si...@sdeziel.info>
Date: Mon Nov 27 09:03:04 2017 -0500
Allow having auto-trust-anchor-file in /var/lib/unbound
Closes #882731
diff --git a/debian/apparmor-profile b/debian/apparmor-profile
index 624341c..23db0b9 100644
--- a/debian/apparmor-profile
+++ b/debian/apparmor-profile
@@ -30,6 +30,7 @@
# chrooted paths
/var/lib/unbound/** r,
+ owner /var/lib/unbound/*.key* rw,
owner /var/lib/unbound/**/*.key* rw,
audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
audit deny /var/lib/unbound/**/unbound_server.key w,
signature.asc
Description: OpenPGP digital signature
