Marcus Rueckert
f270973a6c
Accepted submit request 57745 from user jeff_mahoney OBS-URL: https://build.opensuse.org/request/show/57745 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=1
39 lines
969 B
Plaintext
39 lines
969 B
Plaintext
From: Jeff Mahoney <jeffm@suse.com>
|
|
Subject: Fix for sshd profile
|
|
References: bnc#457072
|
|
|
|
Without this patch, sshd won't work in enforce mode.
|
|
|
|
libselinux accesses /proc/filesystems to determine if it's enabled
|
|
bash won't execute
|
|
audit_control is probably from libselinux too
|
|
---
|
|
profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
|
|
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
|
|
@@ -30,6 +30,8 @@
|
|
capability kill,
|
|
capability setgid,
|
|
capability setuid,
|
|
+ capability audit_control,
|
|
+ capability sys_ptrace,
|
|
|
|
/dev/ptmx rw,
|
|
/dev/urandom r,
|
|
@@ -44,11 +46,12 @@
|
|
|
|
@{PROC}/[0-9]*/fd/ r,
|
|
@{PROC}/[0-9]*/loginuid w,
|
|
+ @{PROC}/filesystems r,
|
|
|
|
# should only be here for use in non-change-hat openssh
|
|
# duplicated from EXEC hat
|
|
/bin/ash Ux,
|
|
- /bin/bash Ux,
|
|
+ /bin/bash rUx,
|
|
/bin/bash2 Ux,
|
|
/bin/bsh Ux,
|
|
/bin/csh Ux,
|