42 lines
1.3 KiB
Text
42 lines
1.3 KiB
Text
#include <tunables/global>
|
|
|
|
profile ldap-auth-server flags=(attach_disconnected,mediate_deleted) {
|
|
#include <abstractions/base>
|
|
|
|
# Capabilities
|
|
file,
|
|
signal (send) set=(kill,term,int,hup,cont),
|
|
|
|
# S6-Overlay
|
|
/init ix,
|
|
/bin/** ix,
|
|
/usr/bin/** ix,
|
|
/run/{s6,s6-rc*,service}/** ix,
|
|
/package/** ix,
|
|
/command/** ix,
|
|
/etc/services.d/** rwix,
|
|
/etc/cont-init.d/** rwix,
|
|
/etc/cont-finish.d/** rwix,
|
|
/run/{,**} rwk,
|
|
/dev/tty rw,
|
|
|
|
# Access to options.json and other files within your addon
|
|
/data/** rw,
|
|
|
|
profile /usr/bin/ldap-auth-server flags=(attach_disconnected,mediate_deleted) {
|
|
#include <abstractions/base>
|
|
|
|
# Receive signals from S6-Overlay
|
|
signal (receive) peer=*_ldap-auth-server,
|
|
|
|
# Access to options.json and other files within your addon
|
|
/data/** rw,
|
|
|
|
# Access required for service functionality
|
|
# Note: List was built by doing the following:
|
|
# 1. Add what is obviously needed based on what is in the script
|
|
# 2. Add `complain` as a flag to this profile temporarily and run the addon
|
|
# 3. Review the audit log with `journalctl _TRANSPORT="audit" -g 'apparmor="ALLOWED"'` and add other access as needed
|
|
# Remember to remove the `complain` flag when you are done
|
|
}
|
|
}
|