d/apparmor-profile: allow access to /var/lib/unbound when chrooted to /etc/unbound (#1010517)
Michael Tokarev
2 years ago
31 | 31 | audit deny /etc/unbound/unbound_server.key w, |
32 | 32 | |
33 | 33 | # chrooted paths |
34 | /var/lib/unbound/** r, | |
35 | owner /var/lib/unbound/** rw, | |
36 | audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw, | |
37 | audit deny /var/lib/unbound/**/unbound_server.key w, | |
34 | # unbound can be chrooted into /etc/unbound (upstream default) with | |
35 | # /var/lib/unbound/ bind-mounted to /etc/unbound/var/lib/unbound/, | |
36 | # or it can be chrooted into /var/lib/unbound/ with /etc/unbound/ copied | |
37 | # into there (previous debian package default). | |
38 | /{,etc/unbound/}var/lib/unbound/** r, | |
39 | owner /{,etc/unbound/}var/lib/unbound/** rw, | |
40 | audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_control.{key,pem} rw, | |
41 | audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_server.key w, | |
38 | 42 | |
39 | 43 | /usr/sbin/unbound mr, |
40 | 44 |