[apparmor] [patch] dovecot profiles
Christian Boltz
apparmor at cboltz.de
Sat Aug 20 09:54:00 UTC 2011
Hello,
sorry for not answering earlier - I was away yesterday evening.
And thanks for releasing 2.7 beta1!
Am Freitag, 19. August 2011 schrieb John Johansen:
> On 08/19/2011 09:10 AM, John Johansen wrote:
> > On 08/19/2011 03:57 AM, Christian Boltz wrote:
> >> References:
> >> - dovecot: Added support for /var/spool/mail (bnc#691072)
> >> - Updated dovecot profile (bnc#681267).
> >>
> >> Patch taken from openSUSE:11.4:Update:Test, file
> >> apparmor-profiles- dovecot
> >> updated to match trunk by Christian Boltz <apparmor at cboltz.de>
> >> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> >> --- profiles/apparmor.d/usr.sbin.dovecot 2011-07-14 12:57:57
> >> +++ profiles/apparmor.d/usr.sbin.dovecot 2011-08-19 10:44:14
[...]
> >> - /var/lib/dovecot/ w,
> >> - /var/lib/dovecot/* krw,
> >> - /{,var/}run/dovecot/ rw,
> >> - /{,var/}run/dovecot/** rw,
> >> + /var/lib/dovecot/ wl,
> >> + /var/lib/dovecot/* krwl,
> >> + /{,var/}run/dovecot/ rwl,
> >> + /{,var/}run/dovecot/** rwl,
> >
> > I'm not to found of adding l here what/where is it linking too?
>
> Christian, can you provide some more information about why it needs
> the link permissions and the capability
Good question - I don't use dovecot myself.
Let me quote from the audit.log attached to
https://bugzilla.novell.com/show_bug.cgi?id=681267
type=AVC msg=audit(1300700528.088:137): apparmor="DENIED"
operation="link" parent=1 profile="/usr/sbin/dovecot"
name="/var/run/dovecot/login/ssl-parameters.dat.tmp" pid=17451
comm="dovecot" requested_mask="l" denied_mask="l" fsuid=0 ouid=0
target="/var/lib/dovecot/ssl-parameters.dat"
Does that answer the question?
Regards,
Christian Boltz
--
Will ich mich demnaechst mal ranmachen,
allerdings momentan zuviel extrem unwichtige Sachen zu tun.
[Marcel Schmedes in suse-linux] ^^
More information about the AppArmor
mailing list