[apparmor] [patch] dovecot profiles
John Johansen
john.johansen at canonical.com
Fri Aug 19 16:10:45 UTC 2011
On 08/19/2011 03:57 AM, Christian Boltz wrote:
> Hello,
>
> I just remembered there's a dovecot profile patch in
> openSUSE:11.4:Update:Text that has not made it into the Factory package
> yet. I just updated it to match trunk.
>
> I hope it's not too late to include it in 2.7 beta ;-)
>
>
I didn't get to creating the release last night so your good
> Changes:
>
> Dovecot profile update:
> - allow /var/spool/mail, not only the /var/mail symlink
> - allow @{HOME}/Mail/
> - allow capability fsetid, read access to /etc/lsb-release and
> SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
>
> References:
> - dovecot: Added support for /var/spool/mail (bnc#691072)
> - Updated dovecot profile (bnc#681267).
>
> Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-
> dovecot
> updated to match trunk by Christian Boltz <apparmor at cboltz.de>
>
>
> Regards,
>
> Christian Boltz
> -- <Ohmmmmm> Heiliger St.Tux öffne mir die Augen, welche durch jahrelangen Missbrauch von KleinSoftFenster 3.1 - XP mit Fehlermeldungen zuge- pflastert wurden, damit ich sehend werde für die Wunder des Reiches das da heißt LINUX.</Ohmmmmm> (Heike Hautz in dcoulm)
>
>
> apparmor-profiles-dovecot-updated
>
>
> Dovecot profile update:
> - allow /var/spool/mail, not only the /var/mail symlink
> - allow @{HOME}/Mail/
> - allow capability fsetid, read access to /etc/lsb-release and
> SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
>
> References:
> - dovecot: Added support for /var/spool/mail (bnc#691072)
> - Updated dovecot profile (bnc#681267).
>
> Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
> updated to match trunk by Christian Boltz <apparmor at cboltz.de>
>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.deliver'
> --- profiles/apparmor.d/usr.lib.dovecot.deliver 2010-08-05 19:00:02 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.deliver 2011-08-19 10:38:48 +0000
> @@ -17,6 +17,7 @@
> @{HOME}/mail/.imap/** klrw,
> /usr/lib/dovecot/deliver mr,
> /var/mail/* klrw,
> + /var/spool/mail/* klrw,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.lib.dovecot.deliver>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> --- profiles/apparmor.d/usr.lib.dovecot.imap 2010-08-05 19:00:02 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-19 10:39:44 +0000
> @@ -11,11 +11,15 @@
> @{HOME} r,
> @{HOME}/Maildir/ rw,
> @{HOME}/Maildir/** klrw,
> + @{HOME}/Mail/ rw,
> + @{HOME}/Mail/* klrw,
> + @{HOME}/Mail/.imap/** klrw,
> @{HOME}/mail/ rw,
> @{HOME}/mail/* klrw,
> @{HOME}/mail/.imap/** klrw,
> /usr/lib/dovecot/imap mr,
> /var/mail/* klrw,
> + /var/spool/mail/* klrw,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.lib.dovecot.imap>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3'
> --- profiles/apparmor.d/usr.lib.dovecot.pop3 2010-08-05 19:00:02 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-19 10:37:59 +0000
> @@ -9,6 +9,7 @@
> capability setuid,
>
> /var/mail/* klrw,
> + /var/spool/mail/* klrw,
> @{HOME} r,
> @{HOME}/mail/* klrw,
> @{HOME}/mail/.imap/** klrw,
>
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot 2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot 2011-08-19 10:44:14 +0000
> @@ -13,9 +13,12 @@
> capability setgid,
> capability setuid,
> capability sys_chroot,
> + capability fsetid,
>
> /etc/dovecot/** r,
> /etc/mtab r,
> + /etc/lsb-release r,
> + /etc/SuSE-release r,
> /usr/lib/dovecot/dovecot-auth Pxmr,
> /usr/lib/dovecot/imap Pxmr,
> /usr/lib/dovecot/imap-login Pxmr,
> @@ -26,10 +29,10 @@
> /usr/lib/dovecot/managesieve-login Pxmr,
> /usr/lib/dovecot/ssl-build-param ixr,
> /usr/sbin/dovecot mr,
> - /var/lib/dovecot/ w,
> - /var/lib/dovecot/* krw,
> - /{,var/}run/dovecot/ rw,
> - /{,var/}run/dovecot/** rw,
> + /var/lib/dovecot/ wl,
> + /var/lib/dovecot/* krwl,
> + /{,var/}run/dovecot/ rwl,
> + /{,var/}run/dovecot/** rwl,
>
I'm not to found of adding l here what/where is it linking too?
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.sbin.dovecot>
>
More information about the AppArmor
mailing list