Apparmour doesnt support use of /etc/ssl/<servicename>
Bug #317109 reported by
KarlGoetz
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
openldap2.3 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: apparmor
Ubuntu 8.04
Slapd as shipped
Apparmour as shipped.
When attempting to configure slapd (OpenLDAP) to use SSL, I set its SSL path to /etc/ssl/slapd/ and placed the keys in there (as is standard for services at this site).
Apparmour caused slapd to fail to start, as it couldnt read the keys it needed.
While it was a simple job to add the path into the apparmour profile, finding the cause of the mystery failure took quite some time.
It would be great if /etc/ssl/
Related branches
Changed in apparmor: | |
assignee: | nobody → jdstrand |
status: | New → Confirmed |
Changed in openldap2.3: | |
assignee: | nobody → jdstrand |
status: | New → Confirmed |
To post a comment you must log in.
I just check the apparmor profiles for Hardy, Intrepid and Jaunty, and they all have (after including the abstractions): ssl_certs> ssl/private/ * r,
#include <abstractions/
/etc/ssl/private/ r,
/etc/
This works out to: ssl/private/ * r,
/etc/ssl/ r,
/etc/ssl/certs/ r,
/etc/ssl/certs/* r,
/etc/ssl/private/ r,
/etc/
I think if this is going to be fixed, it should be fixed in the apparmor package, so am moving it there. The question then becomes, should /etc/apparmor. d/abstractions/ ssl_certs become:
/etc/ssl/ r,
/etc/ssl/* r,
This would obviate the need for references to /etc/ssl/private/ (and abstractions/ ssl_keys on Jaunty). What do people think?