[pkg-apparmor] Bug#809649: ssh login not possible when setting usr.sbin.sshd to enforced
Evgeni Golov
evgeni at debian.org
Sat Jan 2 14:19:10 UTC 2016
Hi,
On Sat, Jan 02, 2016 at 02:52:47PM +0100, Christian Boltz wrote:
> I just tested on openSUSE and got similar results, but also some small
> differences:
Thanks for verifying. Just out of interest, which OpenSSH version do you have?
> - I additionally need capability sys_ptrace,
> - I don't need w access to /var/log/btmp (but nevertheless it makes
> sense to allow it)
These might or might not be dependant on the OpenSSH version.
> + @{PROC}/cmdline r,
> + @{PROC}/1/environ r,
While I also get denials for these two on my Stretch VM, I did not add them
in my initial version, as ssh seemed to work fine without and I really see
no reason why the kernel commandline or the environment of the init process
should matter to the ssh daemon.
> Can you please test with this patch? (In theory the added owner
> restrictions could cause denials.)
Yes, seems to work fine for me.
> I'll submit the patch upstream as soon as soon as you report back ;-)
Cool. Thanks!
Greets
Evgeni
More information about the pkg-apparmor-team
mailing list