Originally Posted by topdog
I wonder why they would ship a policy that does not work. Am not sure if it will work in the chroot, as most MAC systems use the real file path test if you can and let us know.
Well the policy did work until I moved & chrooted it... so IMHO that makes sense .. because that's part of what apparmor is supposed to do ( my rudimentary understanding of creating a hat )
I used a symbolic link for all libraries that have path's hard coded ( if I understand you correct ), Bind seems to behave properly so until now all is well.
I still don't know if there's a point in using chrooting & apparmor at the same time, as it might as well weaken security instead of additional hardening...
If someone knows of a deprecated package with known weaknesses I might be able to test those in this kind of environment ( why aren't there 48h days ).
But before that I have to solve another issue with compiling the ISPconfig package, as it's complaining about wrong syntaxes in an empty httpd.conf