/etc/apparmor.d/usr.sbin.ejabberdctl is in ejabberd 16.01-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 | #include <tunables/global>
/usr/sbin/ejabberdctl {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_bind_service,
capability dac_override,
/bin/bash rmix,
/bin/dash rmix,
/bin/date ix,
/bin/grep ix,
/bin/sed ix,
/bin/sleep ix,
/bin/su px -> /usr/sbin/ejabberdctl//su,
profile su {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability audit_write,
capability setgid,
capability setuid,
capability sys_resource,
@{PROC}/@{pid}/loginuid r,
@{PROC}/1/limits r,
/bin/bash px -> /usr/sbin/ejabberdctl,
/bin/dash px -> /usr/sbin/ejabberdctl,
/bin/su r,
/etc/environment r,
/etc/default/locale r,
/etc/security/limits.d** r,
/lib/@{multiarch}/libpam.so* rm,
}
/etc/ejabberd** r,
/etc/default/ejabberd r,
/run/ejabberd** rw,
/sys/devices/system/cpu** r,
/sys/devices/system/node** r,
/usr/bin/cut ix,
/usr/bin/erl ix,
/usr/bin/expr ix,
/usr/bin/flock ix,
/usr/bin/getent ix,
/usr/bin/id ix,
/usr/bin/seq ix,
/usr/lib/erlang/bin/erl ix,
/usr/lib/erlang/erts-*/bin/beam* ix,
/usr/lib/erlang/erts-*/bin/child_setup ix,
/usr/lib/erlang/erts-*/bin/epmd ix,
/usr/lib/erlang/erts-*/bin/erlexec ix,
/usr/lib/erlang/erts-*/bin/inet_gethost ix,
/usr/lib/erlang/lib/**.so rm,
/usr/lib/erlang/p1_pam/bin/epam px -> /usr/sbin/ejabberdctl//su,
/usr/sbin/ejabberdctl r,
/var/backups/ rw,
/var/backups/ejabberd** rwlk,
/var/lib/ejabberd** rw,
/var/log/ejabberd/* rwlk,
/var/run/ejabberd** rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.ejabberdctl>
}
|