Apparmor 2.9.0 has been released; closing.
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/228229
Title:
sshd profile does not wor
This has been fixed in Ubuntu in the pending 14.04 LTS release.
** Changed in: apparmor (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/228229
Title:
s
** Changed in: apparmor
Milestone: None => 2.9.0
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/228229
Title:
sshd profile does not work out-of-the-box
To manage notifications about this bug go
Simon,
Thanks for the patch to the sshd profile. After reviewing it and
updating it to take into account of a couple of upstream changes to the
profile, I've applied it to lp:apparmor, and will be included in the
next major AppArmor release. It should also make it into Ubuntu 13.04.
Thanks!
** A
** Branch linked: lp:apparmor
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/228229
Title:
sshd profile does not work out-of-the-box
To manage notifications about this bug go to:
https://bugs.launch
The attachment "Add missing capabilities/rules for usr.sbin.sshd" of
this bug report has been identified as being a patch. The ubuntu-
reviewers team has been subscribed to the bug report so that they can
review the patch. In the event that this is in fact not a patch you can
resolve this situati
I'm not using Kerberos here but I found the profiles from apparmor-
profiles to still lack a few bits in Precise. I've attached the patch to
get a working profile. The only thing that didn't work in my testing is
SFTP when using "Subsystem sftp internal-sftp".
** Patch added: "Add missing capabili
I disagree with Timo's assessment; the attempt to write to
/etc/krb5.conf is from an access(2) check to _see_ if the file is
writable. If the file _is_ writable, then the sshd server knows Kerberos
is mis-configured and will _fail_. Of course, most of the time, the
standard Unix DAC checks will for
sorry, openssh tries to open krb5.conf with 'w::' mask for some reason,
so in order to avoid these messages
type=APPARMOR_DENIED msg=audit(1233663334.360:7469):
operation="inode_permission" requested_mask="w::" denied_mask="w::"
fsuid=0 name="/etc/krb5.conf" pid=17575 profile="/usr/sbin/sshd"
it
And back to apparmor.. The profile does need some changes, but no
modifications to openssh AIUI. Here's what I had to add:
/etc/default/locale r,
/var/cache/nscd/group r,
/var/cache/nscd/passwd r,
/etc/selinux/config r,
/etc/selinux/default/seusers r,
/etc/krb5.conf r,
/etc/krb5.keyt
moving to openssh, since the patch is needed there?
(I'm currently evaluating apparmor, so would like to confine sshd)
** Changed in: openssh (Ubuntu)
Sourcepackagename: apparmor => openssh
--
sshd profile does not work out-of-the-box
https://bugs.launchpad.net/bugs/228229
You received this bug
AFAIK Ubuntu's sshd doesn't have the change_hat patch. That makes
confining somewhat useless.
--
sshd profile does not work out-of-the-box
https://bugs.launchpad.net/bugs/228229
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu
12 matches
Mail list logo
