In the past with SLES 11 sp3 and sp4 I could go into AppArmor and there were some shared/community profiles available that others had created to help provide a “sample” for applications I was looking for. I am updating a BIND server from SLES 11sp4 to SLES 12sp1 and when I attempted to create the AppArmor profile that option wasn’t there. In fact, the AppArmor Yast settings are very small when compared to previous version. I looked at the SLES 11sp4 AppArmor profile and alot appears to have changed with SLES 12sp1 so I am looking for recommendations on setting up a good AppArmor profile for BIND? This is just going to be used as a forwarder to Cisco openDNS service but want to secure this box, specifically AppArmor the named service.
Here is what I have from SLES 11sp4
[CODE]# Last Modified: Mon Oct 17 12:17:06 2011
$Id: usr.sbin.named 559 2007-04-10 23:05:33Z agruen $
------------------------------------------------------------------
Copyright (C) 2002-2005 Novell/SUSE
This program is free software; you can redistribute it and/or
modify it under the terms of version 2 of the GNU General Public
License published by the Free Software Foundation.
------------------------------------------------------------------
#include <tunables/global>
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/xad>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
/** r,
/dyn/** rwl,
/slave/* rw,
/tmp/DNS_* rw,
/usr/bin/dnskeygen mix,
/usr/bin/dnsquery mix,
/usr/sbin/named mrix,
/usr/sbin/named-xfer mix,
/var/lib/named/** rwl,
/var/named/** rwl,
/var/opt/novell/xad/ds/krb5kdc/krb5.keytab r,
/var/run/named.pid wl,
/var/run/named/named.pid wl,
/var/run/ndc wl,
/var/tmp/DNS_* rw,
}
[/CODE]
When I look at my SLES 12sp1 server some of these files are not present. Just looking for a basic AppArmor profile for named. I see plenty for Ubuntu but not sure if those would work. I am guessing not since the file locations are different.