[apparmor] [patch] dovecot profiles

[John Johansen]

On 08/20/2011 02:54 AM, Christian Boltz wrote:
> Hello,
> 
> sorry for not answering earlier - I was away yesterday evening.
> And thanks for releasing 2.7 beta1!
> 
> Am Freitag, 19. August 2011 schrieb John Johansen:
>> On 08/19/2011 09:10 AM, John Johansen wrote:
>>> On 08/19/2011 03:57 AM, Christian Boltz wrote:
> 
>>>> References:
>>>> - dovecot: Added support for /var/spool/mail (bnc#691072)
>>>> - Updated dovecot profile (bnc#681267).
>>>>
>>>> Patch taken from openSUSE:11.4:Update:Test, file
>>>> apparmor-profiles- dovecot
>>>> updated to match trunk by Christian Boltz <apparmor at cboltz.de>
> 
>>>> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
>>>> --- profiles/apparmor.d/usr.sbin.dovecot	2011-07-14 12:57:57 
>>>> +++ profiles/apparmor.d/usr.sbin.dovecot	2011-08-19 10:44:14 
> [...]
>>>> -  /var/lib/dovecot/ w,
>>>> -  /var/lib/dovecot/* krw,
>>>> -  /{,var/}run/dovecot/ rw,
>>>> -  /{,var/}run/dovecot/** rw,
>>>> +  /var/lib/dovecot/ wl,
>>>> +  /var/lib/dovecot/* krwl,
>>>> +  /{,var/}run/dovecot/ rwl,
>>>> +  /{,var/}run/dovecot/** rwl,
>>>
>>> I'm not to found of adding l here what/where is it linking too?
>>
>> Christian, can you provide some more information about why it needs
>> the link permissions and the capability
> 
> Good question - I don't use dovecot myself. 
> 
> Let me quote from the audit.log attached to 
> https://bugzilla.novell.com/show_bug.cgi?id=681267
> 
> type=AVC msg=audit(1300700528.088:137): apparmor="DENIED" 
> operation="link" parent=1 profile="/usr/sbin/dovecot" 
> name="/var/run/dovecot/login/ssl-parameters.dat.tmp" pid=17451 
> comm="dovecot" requested_mask="l" denied_mask="l" fsuid=0 ouid=0 
> target="/var/lib/dovecot/ssl-parameters.dat"
> 
> Does that answer the question?
> 
somewhat, /me is now wondering if we could get away with

link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,