[pkg-apparmor] Bug#809649: ssh login not possible when setting usr.sbin.sshd to enforced
Evgeni Golov
evgeni at debian.org
Sat Jan 2 11:18:48 UTC 2016
Package: apparmor-profiles
Version: 2.10-2
Severity: normal
Tags: upstream patch
Ohai,
using /usr/share/doc/apparmor-profiles/extras/usr.sbin.sshd with current sshd
will make the system not accepting logins anymore.
The following patch fixes it:
--- /usr/share/doc/apparmor-profiles/extras/usr.sbin.sshd 2015-09-14 14:25:50.000000000 +0200
+++ /etc/apparmor.d/usr.sbin.sshd 2016-01-02 12:05:38.949693319 +0100
@@ -25,6 +25,7 @@
capability sys_chroot,
capability sys_resource,
capability sys_tty_config,
+ capability net_admin,
capability net_bind_service,
capability chown,
capability fowner,
@@ -32,6 +33,7 @@
capability setgid,
capability setuid,
capability audit_control,
+ capability audit_write,
capability dac_override,
capability dac_read_search,
@@ -48,12 +50,12 @@
@{PROC}/@{pid}/oom_adj rw,
@{PROC}/@{pid}/oom_score_adj rw,
/usr/sbin/sshd mrix,
- /var/log/btmp r,
+ /var/log/btmp rw,
/{,var/}run w,
/{,var/}run/sshd{,.init}.pid wl,
@{PROC}/@{pid}/fd/ r,
- @{PROC}/@{pid}/loginuid w,
+ @{PROC}/@{pid}/loginuid rw,
@{PROC}/@{pid}/limits r,
# should only be here for use in non-change-hat openssh
Greets
Evgeni
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the pkg-apparmor-team
mailing list