AppArmor shared profiles

In the past with SLES 11 sp3 and sp4 I could go into AppArmor and there were some shared/community profiles available that others had created to help provide a “sample” for applications I was looking for. I am updating a BIND server from SLES 11sp4 to SLES 12sp1 and when I attempted to create the AppArmor profile that option wasn’t there. In fact, the AppArmor Yast settings are very small when compared to previous version. I looked at the SLES 11sp4 AppArmor profile and alot appears to have changed with SLES 12sp1 so I am looking for recommendations on setting up a good AppArmor profile for BIND? This is just going to be used as a forwarder to Cisco openDNS service but want to secure this box, specifically AppArmor the named service.

Here is what I have from SLES 11sp4

[CODE]# Last Modified: Mon Oct 17 12:17:06 2011

$Id: usr.sbin.named 559 2007-04-10 23:05:33Z agruen $


Copyright (C) 2002-2005 Novell/SUSE

This program is free software; you can redistribute it and/or

modify it under the terms of version 2 of the GNU General Public

License published by the Free Software Foundation.


#include <tunables/global>

/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/xad>

capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,

/** r,
/dyn/** rwl,
/slave/* rw,
/tmp/DNS_* rw,
/usr/bin/dnskeygen mix,
/usr/bin/dnsquery mix,
/usr/sbin/named mrix,
/usr/sbin/named-xfer mix,
/var/lib/named/** rwl,
/var/named/** rwl,
/var/opt/novell/xad/ds/krb5kdc/krb5.keytab r,
/var/run/ wl,
/var/run/named/ wl,
/var/run/ndc wl,
/var/tmp/DNS_* rw,

When I look at my SLES 12sp1 server some of these files are not present. Just looking for a basic AppArmor profile for named. I see plenty for Ubuntu but not sure if those would work. I am guessing not since the file locations are different.


It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team