[apparmor] [new files] various new profiles
Christian Boltz
apparmor at cboltz.de
Sun Apr 3 21:18:20 UTC 2011
Hello,
another result of comparing my profiles with those in bzr:
several profiles are not yet in bzr.
Attached are profiles for:
bin.hostname
bin.logger
usr.bin.mysqld_safe
usr.bin.uptime
usr.lib.courier-authlib.authdaemond
usr.lib.courier-imap.couriertcpd
usr.lib.mailman.bin.add_members
usr.lib.mailman.bin.mailmanctl
usr.lib.mailman.bin.remove_members
usr.lib.mailman.mail.mailman
usr.lib.man-db.manconv
usr.sbin.amavisd
usr.sbin.clamd
usr.sbin.courierlogger
usr.sbin.couriertls
usr.sbin.imaplogin
usr.sbin.openvpn
usr.sbin.pop3login
usr.sbin.sqlgrey
Basically the same notes as in my mail with the profile changes apply:
historically grown (starting with openSUSE 11.1), might base on old
abstractions/* etc.
Again: If something looks strange, please ask ;-)
Please also tell me if I should submit the profiles to apparmor.d or to
apparmor/profiles/extras. I'm using all attached profiles on an openSUSE
11.3 server, so from my POV they are good enough for apparmor.d ;-)
BTW: the reason why I listed the filenames above is that you can just
quote the mail and add comments per filename.
The profiles are attached
a) as separate text files
b) as all-profiles.tar.gz
Choose whatever is easier to handle for you ;-) - both variants contain
the same profiles.
I guess that should give you enough to review for the next days *eg*
I have some more profiles pending - however I'll have to review them
again because
- some probably need a tunable (for example for the mail directory)
- some are very specific for my setup
- other reasons
Just for reference, here's the list of those profiles:
usr.bin.maildrop
usr.bin.mailgraph.pl
usr.bin.modlogan
usr.lib.mailman.bin.qrunner
usr.sbin.logresolve.pl2
usr.sbin.named
usr.sbin.pop3d
Regards,
Christian Boltz
--
> [HD mit badblocks] NACK, es kommt immer auf den Anwendungszweck an.
> Für ein Lern- / Experimentiersystem lohnt sich keine neue HD, solange
> es zu funktionieren scheint.
Experimente auf welchem Sektor? Spanabhebende Storage-Lösungen?
[> Al Bogner und Thomas Dreher in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: all-profiles.tar.gz
Type: application/x-compressed-tar
Size: 2812 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110403/5d41517f/attachment-0001.bin>
-------------- next part --------------
# vim:syntax=apparmor
# Last Modified: Tue Jan 23 22:12:36 2007
#include <tunables/global>
/bin/hostname {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability sys_admin,
/bin/hostname mr,
}
-------------- next part --------------
# Last Modified: Tue Aug 10 20:15:10 2010
#include <tunables/global>
/bin/logger {
#include <abstractions/base>
#include <abstractions/consoles>
/bin/logger mr,
/tmp/logrotate.* r,
}
-------------- next part --------------
# Last Modified: Wed May 6 00:49:13 2009
#include <tunables/global>
/usr/lib/courier-imap/couriertcpd {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_bind_service,
capability sys_ptrace,
/usr/lib/courier-imap/couriertcpd mr,
/usr/sbin/couriertls Px,
/usr/sbin/imaplogin Px,
/usr/sbin/pop3login Px,
owner /var/run/nscd/services r,
}
-------------- next part --------------
# Last Modified: Thu Aug 5 13:22:03 2010
#include <tunables/global>
/usr/bin/mysqld_safe {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/mysql>
#include <abstractions/nameservice>
capability chown,
capability dac_override,
capability fowner,
capability sys_ptrace,
owner / w, # ????
/bin/bash rix,
/bin/cat rix,
/bin/chown rix,
/bin/date rix,
/bin/grep rix,
/bin/hostname rix,
/bin/kill rix,
/bin/ps rUx,
/bin/rm rix,
/bin/sed rix,
/bin/touch rix,
/dev/tty rw,
/etc/my.cnf r,
/root/.my.cnf r,
/usr/bin/dirname rix,
/usr/bin/expr rix,
/usr/bin/my_print_defaults rix,
/usr/bin/mysqld_safe mr,
/usr/bin/nice rix,
/usr/bin/nohup rix,
/usr/bin/tee rix,
/usr/sbin/mysqld Px,
/var/lib/mysql/*.err w,
/var/lib/mysql/mysqld.log w,
/var/lib/mysql/mysqld.pid rw,
/var/log/mysql/mysqld.log w,
/var/run/mysql/mysql.sock w,
}
-------------- next part --------------
# Last Modified: Fri Mar 6 21:50:15 2009
#include <tunables/global>
/usr/bin/uptime {
#include <abstractions/base>
#include <abstractions/consoles>
@{PROC}/loadavg r,
@{PROC}/uptime r,
/usr/bin/uptime mr,
/var/run/utmp rwk,
}
-------------- next part --------------
# Last Modified: Sat Mar 7 21:02:28 2009
#include <tunables/global>
/usr/lib/courier-authlib/authdaemond {
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
capability dac_override,
/etc/authlib/* r,
/usr/lib/courier-authlib/authdaemond mr,
/var/run/authdaemon.courier-imap/socket w,
/var/run/authdaemon.courier-imap/socket.tmp rw,
owner /var/run/nscd/services r,
}
-------------- next part --------------
# Last Modified: Mon Apr 20 13:36:58 2009
#include <tunables/global>
/usr/lib/mailman/bin/remove_members {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/python>
/usr/bin/python2.? rix,
/usr/lib/mailman/Mailman/**.py r,
/usr/lib/mailman/Mailman/**.pyc r,
/usr/lib/mailman/bin/paths.py r,
/usr/lib/mailman/bin/paths.pyc r,
/usr/lib/mailman/bin/remove_members mr,
/usr/lib/mailman/messages/*/LC_MESSAGES/mailman.mo r,
/usr/lib/mailman/pythonlib/email/*.py r,
/usr/lib/mailman/pythonlib/email/*.pyc r,
/usr/lib/mailman/templates/** r,
/usr/lib64/python2.?/lib-dynload/*.so mr,
/var/lib/mailman/lists/*/config.pck* rwl,
/var/lib/mailman/locks/* rwl,
/var/lib/mailman/logs/locks rw,
/var/lib/mailman/logs/subscribe rw,
/var/lib/mailman/qfiles/virgin/* rw,
}
-------------- next part --------------
# Last Modified: Mon Apr 20 13:36:58 2009
#include <tunables/global>
/usr/lib/mailman/bin/add_members {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/python>
capability dac_override,
/usr/bin/python2.? rix,
/usr/lib/mailman/Mailman/**.py r,
/usr/lib/mailman/Mailman/**.pyc r,
/usr/lib/mailman/bin/add_members mr,
/usr/lib/mailman/bin/paths.py r,
/usr/lib/mailman/bin/paths.pyc r,
/usr/lib/mailman/messages/*/LC_MESSAGES/mailman.mo r,
/usr/lib/mailman/pythonlib/**.py r,
/usr/lib/mailman/pythonlib/**.pyc r,
/usr/lib/mailman/templates/** r,
/usr/lib64/python2.?/lib-dynload/*.so mr,
/var/lib/mailman/lists/*/config.pck* rwl,
/var/lib/mailman/locks/* rwl,
/var/lib/mailman/logs/locks w,
/var/lib/mailman/logs/subscribe rw,
/var/lib/mailman/qfiles/virgin/*.pck* rw,
}
-------------- next part --------------
# Last Modified: Thu Apr 23 20:00:10 2009
#include <tunables/global>
/usr/lib/mailman/mail/mailman {
#include <abstractions/base>
#include <abstractions/python>
/etc/mailman/* r,
/usr/bin/python2.? rix,
/usr/lib/mailman/Mailman/**.py r,
/usr/lib/mailman/Mailman/**.pyc r,
/usr/lib/mailman/mail/mailman mr,
/usr/lib/mailman/pythonlib/email/*.py r,
/usr/lib/mailman/pythonlib/email/*.pyc r,
/usr/lib/mailman/scripts/* r,
# /usr/lib*/python2.4/* r, # obsolete?
/usr/lib*/python2.?/lib-dynload/*.so mr,
/var/lib/mailman/logs/* rw,
/var/lib/mailman/qfiles/** rw,
}
-------------- next part --------------
# Last Modified: Thu Dec 23 23:10:58 2010
#include <tunables/global>
/usr/lib/mailman/bin/mailmanctl {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/python>
capability dac_override,
capability setgid,
capability setuid,
capability sys_tty_config,
/etc/mime.types r,
/usr/bin/python2.? rix,
/usr/lib/mailman/Mailman/**.py r,
/usr/lib/mailman/Mailman/**.pyc r,
/usr/lib/mailman/bin/*.py r,
/usr/lib/mailman/bin/*.pyc r,
/usr/lib/mailman/bin/mailmanctl mr,
/usr/lib/mailman/bin/qrunner r,
/usr/lib/mailman/messages/*/LC_MESSAGES/mailman.mo r,
/usr/lib/mailman/pythonlib/**.py r,
/usr/lib/mailman/pythonlib/**.pyc r,
/usr/lib/mailman/templates/** r,
/usr/lib*/python2.?/lib-dynload/*.so mr,
/var/lib/mailman/archives/private/** rwl,
/var/lib/mailman/data/bounce-events*.pck rw,
/var/lib/mailman/data/heldmsg-* w,
/var/lib/mailman/data/master-qrunner.pid w,
/var/lib/mailman/lists/** rwl,
/var/lib/mailman/locks/* rwl,
/var/lib/mailman/logs/* rw,
/var/lib/mailman/qfiles/** rw,
}
-------------- next part --------------
# Last Modified: Sat Mar 14 15:01:22 2009
# REPOSITORY: http://apparmor.opensuse.org/backend/api cboltz-server 3923
#include <tunables/global>
/usr/lib/man-db/manconv {
#include <abstractions/base>
/usr/lib/man-db/manconv mr,
}
-------------- next part --------------
# Last Modified: Sat Oct 30 00:15:19 2010
#include <tunables/global>
/usr/sbin/amavisd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/perl>
capability chown,
capability dac_override,
capability kill,
capability setgid,
capability setuid,
capability sys_tty_config,
deny /etc/amavisd.conf w,
deny /etc/amavisd.conf.moved w,
/bin/cpio rix,
/bin/gzip rix,
/etc/amavisd.conf r,
/etc/amavisd.conf.local r,
/etc/clamd.conf r,
/etc/magic r,
/etc/mail/spamassassin/ r,
/etc/mail/spamassassin/* r,
@{PROC}/uptime r,
/tmp/PerlIO_* w,
/usr/bin/bzip2 rix,
/usr/bin/cabextract rix,
/usr/bin/clamscan rix,
/usr/bin/file rix,
/usr/bin/lha rix,
/usr/bin/pax rix,
/usr/bin/perl ix,
/usr/bin/rpm2cpio rix,
/usr/bin/unarj rix,
/usr/bin/unrar rix,
owner /usr/bin/uptime mr,
/usr/bin/uptime px,
/usr/sbin/amavisd mr,
/usr/share/misc/magic.mgc r,
/usr/share/spamassassin/ r,
/usr/share/spamassassin/* r,
/var/lib/clamav/** r,
/var/lib/clamav/.dbLock rw,
owner /var/lib/clamav/clamd-socket w,
/var/lib/clamav/clamd-socket r,
/var/lib/clamav/daily.inc/.dbLock rw,
/var/lib/clamav/main.inc/.dbLock rw,
/var/run/nscd/services r,
owner /var/run/utmp rwk,
/var/spool/amavis/** rwl,
owner /var/spool/amavis/amavisd.lock k,
/var/spool/amavis/amavisd.lock rwl,
}
-------------- next part --------------
# Last Modified: Sun Oct 31 22:50:37 2010
#include <tunables/global>
/usr/sbin/clamd {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability setgid,
capability setuid,
/etc/clamd.conf r,
@{PROC}/*/status r,
/usr/sbin/clamd mr,
/var/lib/clamav/ r,
/var/lib/clamav/** r,
/var/lib/clamav/.dbLock rw,
/var/lib/clamav/clamd-socket rw,
/var/lib/clamav/clamd.pid w,
/var/lib/clamav/daily.inc/.dbLock w,
/var/lib/clamav/main.inc/.dbLock rw,
/var/spool/amavis/tmp/amavis-*/parts/ r,
/var/spool/amavis/tmp/amavis-*/parts/* r,
}
-------------- next part --------------
# Last Modified: Fri Mar 6 23:17:09 2009
#include <tunables/global>
/usr/sbin/courierlogger {
#include <abstractions/base>
capability sys_ptrace,
/dev/tty rw,
/usr/lib/courier-authlib/authdaemond Px,
/usr/lib/courier-imap/couriertcpd Px,
/usr/sbin/courierlogger mr,
/var/run/authdaemon.courier-imap/pid rw,
/var/run/authdaemon.courier-imap/pid.lock rwk,
/var/run/imapd-ssl.pid rw,
/var/run/imapd-ssl.pid.lock rwk,
/var/run/imapd.pid rw,
/var/run/imapd.pid.lock rwk,
/var/run/pop3d-ssl.pid rw,
/var/run/pop3d-ssl.pid.lock rwk,
/var/run/pop3d.pid rw,
/var/run/pop3d.pid.lock rwk,
}
-------------- next part --------------
# Last Modified: Sat Oct 16 01:46:01 2010
#include <tunables/global>
/usr/sbin/couriertls {
#include <abstractions/base>
#include <abstractions/ssl_certs>
capability sys_ptrace,
network inet stream,
network inet6 stream,
/etc/ssl/private/* r,
/usr/sbin/couriertls mr,
/usr/sbin/imaplogin Px,
/usr/sbin/pop3login Px,
owner /usr/share/ca-certificates/** r,
owner /var/couriersslcache rwk,
/var/run/couriersslcache rwk,
}
-------------- next part --------------
# Last Modified: Mon Jun 1 11:29:20 2009
#include <tunables/global>
/usr/sbin/imaplogin {
#include <abstractions/base>
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
/usr/sbin/imapd Px,
/usr/sbin/imaplogin mr,
/var/run/authdaemon.courier-imap/socket w,
}
-------------- next part --------------
# Last Modified: Sat Jan 3 01:05:36 2009
#include <tunables/global>
/usr/sbin/openvpn {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_tty_config,
/bin/bash rix,
owner /dev/console rw,
/dev/net/tun rw,
/dev/tty rw,
/etc/openvpn/ipp.txt rw,
owner /etc/openvpn/keys/ca.crt r,
owner /etc/openvpn/keys/dh2048.pem r,
owner /etc/openvpn/keys/server.crt r,
owner /etc/openvpn/keys/server.key r,
owner /etc/openvpn/keys/ta.key r,
/etc/openvpn/openvpn-status.log w,
owner /etc/openvpn/server.conf r,
@{PROC}/*/net/route r,
/sbin/ip mrix,
owner /usr/sbin/openvpn r,
owner /var/run/openvpn/server.pid a,
}
-------------- next part --------------
# Last Modified: Sun May 31 16:06:17 2009
#include <tunables/global>
/usr/sbin/pop3login {
#include <abstractions/base>
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
/usr/sbin/couriertls Px,
/usr/sbin/pop3d Px,
/usr/sbin/pop3login mr,
/var/run/authdaemon.courier-imap/socket w,
}
-------------- next part --------------
# Last Modified: Sat Jan 3 01:05:36 2009
#include <tunables/global>
/usr/sbin/sqlgrey {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/perl>
capability chown,
capability dac_override,
capability kill,
capability setgid,
capability setuid,
capability sys_tty_config,
/etc/sqlgrey/* r,
/usr/bin/perl ix,
/usr/sbin/sqlgrey mr,
/var/run/nscd/services r,
/var/run/sqlgrey.pid rw,
}
More information about the AppArmor
mailing list