Andreas fixed that in 2.4.49+dfsg-2ubuntu1 [Focal] which started to have
profile in openldap and include ssl_cert which (as Christian Bolz
outlined above) do include those paths.
# grep ssl_c /etc/apparmor.d/usr.sbin.slapd
#include <abstractions/ssl_certs>
# grep enc /etc/apparmor.d/abstractions/ssl_certs
/etc/letsencrypt/archive/*/cert*.pem r,
/etc/letsencrypt/archive/*/chain*.pem r,
/etc/letsencrypt/archive/*/fullchain*.pem r,
Fixed Focal onwads, and since users can modify the local overrides if
needed I'm not sure how important an SRU of the same is (changing
isolation in SRUs is discouraged AFAIK).
** Changed in: openldap (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1805178
Title:
Apparmor should include letsencrypt directory for Slapd
Status in openldap package in Ubuntu:
Fix Released
Bug description:
Apparmor denies access to /etc/letsencrypt for slapd, which is
confusing for users trying to secure ldap with Letsencrypt in a stock
configuration.
The fix is inserting the following line in
/etc/apparmor.d/usr.sbin.slapd:
/etc/letsencrypt/** r,
and then refreshing the profile:
# apparmor_parser -vr usr.sbin.slapd
This line should simply be included.
tarek : )
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1805178/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
