[apparmor] [patch] dovecot - read access for /proc/*/mounts

John Johansen john.johansen at canonical.com
Wed Oct 12 06:32:20 UTC 2011


On 10/10/2011 10:31 AM, Christian Boltz wrote:
> Hello,
> 
> Tim Edwards reported the following audit.log sniplet on the opensuse-
> factory mailinglist:
> 
> Oct 10 12:48:24 localhost kernel: [1375671.879183] type=1400
> audit(1318243704.530:53): apparmor="DENIED" operation="open"
> parent=21582 profile="/usr/sbin/dovecot" name="/proc/21657/mounts"
> pid=21657 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0
> ouid=0
> 
> Therefore I propose the following profile patch to allow read access for 
> /proc/*/mounts in the dovecot profile:
> 
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot       2011-08-26 23:12:10 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot       2011-10-10 17:24:57 +0000
> @@ -19,6 +19,7 @@
>    /etc/mtab r,
>    /etc/lsb-release r,
>    /etc/SuSE-release r,
> +  @{PROC}/[0-9]*/mounts r,
>    /usr/lib/dovecot/dovecot-auth Pxmr,
>    /usr/lib/dovecot/imap Pxmr,
>    /usr/lib/dovecot/imap-login Pxmr,
> 
> 
Acked-by: John Johansen <john.johansen at canonical.com>




More information about the AppArmor mailing list