From: Jeff Mahoney <jeffm@suse.com>

Subject: Fix for sshd profile
References: bnc#457072

 Without this patch, sshd won't work in enforce mode.

 libselinux accesses /proc/filesystems to determine if it's enabled
 bash won't execute
 audit_control is probably from libselinux too

Updated by Christian Boltz <apparmor@cboltz.de>:
- add /proc/*/oom_adj and oom_score_adj rw
- add /var/log/btmp r
- add /var/log/lastlog k
- removed capability sys_ptrace - doesn't seem to be needed
- changed all login shells to rUx, not only bash
- removed /proc/filesystems (already part of abstractions/base)

Acked-By: John Johansen <john.johansen@canonical.com>
with the following note:
 ACK because I don't see a choice right now but for the 3.0 release
 (next year) I'll ask you to retest and add newer audit controls.

profiles/apparmor/profiles/extras/usr.sbin.sshd

@@ -29,6 +29,7 @@
   capability kill,
   capability setgid,
   capability setuid,
+  capability audit_control,
 
   /dev/ptmx rw,
   /dev/urandom r,
@@ -37,7 +38,11 @@
   /etc/hosts.deny r,
   /etc/modules.conf r,
   /etc/ssh/* r,
+  /proc/*/oom_adj rw,
+  /proc/*/oom_score_adj rw,
   /usr/sbin/sshd mrix,
+  /var/log/btmp r,
+  /var/log/lastlog k,
   /{,var/}run w,
   /{,var/}run/sshd{,.init}.pid wl,
 
@@ -46,16 +51,16 @@
 
 # should only be here for use in non-change-hat openssh
 # duplicated from EXEC hat
-  /bin/ash Ux,
+  /bin/ash rUx,
-  /bin/bash Ux,
+  /bin/bash rUx,
-  /bin/bash2 Ux,
+  /bin/bash2 rUx,
-  /bin/bsh Ux,
+  /bin/bsh rUx,
-  /bin/csh Ux,
+  /bin/csh rUx,
-  /bin/ksh Ux,
+  /bin/ksh rUx,
-  /bin/sh Ux,
+  /bin/sh rUx,
-  /bin/tcsh Ux,
+  /bin/tcsh rUx,
-  /bin/zsh Ux,
+  /bin/zsh rUx,
-  /sbin/nologin Ux,
+  /sbin/nologin rUx,
 
 # Call passwd for password change when expired
 #  /usr/bin/passwd Px,