[apparmor] [patch] dovecot - read access for /proc/*/mounts

Christian Boltz apparmor at cboltz.de
Mon Oct 10 17:31:07 UTC 2011


Hello,

Tim Edwards reported the following audit.log sniplet on the opensuse-
factory mailinglist:

Oct 10 12:48:24 localhost kernel: [1375671.879183] type=1400
audit(1318243704.530:53): apparmor="DENIED" operation="open"
parent=21582 profile="/usr/sbin/dovecot" name="/proc/21657/mounts"
pid=21657 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0
ouid=0

Therefore I propose the following profile patch to allow read access for 
/proc/*/mounts in the dovecot profile:

=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot       2011-08-26 23:12:10 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot       2011-10-10 17:24:57 +0000
@@ -19,6 +19,7 @@
   /etc/mtab r,
   /etc/lsb-release r,
   /etc/SuSE-release r,
+  @{PROC}/[0-9]*/mounts r,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,


Gruß

Christian Boltz
-- 
Und früher waren die Winter nicht so kalt wie heute. Der 10er-Turm im
Schwimmbad war viel niedriger. Aber ich hatte nachts oft Rückenschmerzen
vom vielen Geldsäcke-aus-dem-Fenster-werfen. Gute alte Zeit.
[Ratti in suse-linux]



More information about the AppArmor mailing list