New AppArmor profile: usr.sbin.nslcd

Bug #1575455 reported by Daniel Richard G. on 2016-04-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

nslcd is a good program to be covered by an AppArmor profile, as it communicates with an LDAP server and services queries from arbitrary local applications.

This new profile used the existing usr.sbin.nscd profile as a starting point.

Seth Arnold (seth-arnold) wrote :

That's a great start; I'm concerned about blocking the dgram protocols though -- will nslcd ever need to look up ldap server addresses via dns? Your site may not, but maybe someone else's will?

Thanks

Daniel Richard G. (skunk) wrote :

For my part, I'm not seeing DNS issues, and I've got a hostname in my LDAP server URI.

I'm not sure what goes on under the hood for normal DNS resolution these days (maybe DNS over TCP is favored now?), but if there's any doubt in your mind, feel free to drop those lines.

Daniel Richard G. (skunk) wrote :

Seth, it seems you're absolutely right.

Denying dgram while the system is up is no big deal, because DNS lookups go through nscd (or other similar infrastructure) instead of being sent out directly.

But when the system is starting up, and nscd et al. aren't running yet, the queries do need to go out directly. And nslcd ends up in a wedged state where it does not reply to queries, and prints an endless series of confusing "Can't contact LDAP server: Permission denied" errors to syslog.

So yes, please strike those two dgram lines from the profile.

Seth Arnold (seth-arnold) wrote :

Thanks, I added the profile to the 16.04 and 16.10 directories:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/revision/167
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/revision/168

If you want a copyright line on the files, either propose one here or a merge request. I'm sorry I didn't notice it earlier.

Thanks!

Daniel Richard G. (skunk) wrote :

Thank you Seth :-) Next rev in each release should have this, right?

No copyright line is needed; this was trivial to derive from the nscd profile.

Christian Boltz (cboltz) on 2016-10-13
tags: added: aa-policy
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers