[apparmor] [patch] update and cleanup usr.sbin.dovecot profile
Christian Boltz
apparmor at cboltz.de
Wed Dec 3 21:44:26 UTC 2014
Hello,
this patch adds #include <abstractions/dovecot-common> to the
usr.sbin.dovecot profile. Effectively this adds "deny capability
block_suspend," which is the only missing part from
https://bugs.launchpad.net/apparmor/+bug/1296667/
It also removes "capability setgid," (covered by
abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of
abstractions/base).
=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot 2014-09-03 19:45:56 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot 2014-12-03 21:39:41 +0000
@@ -15,6 +15,7 @@
/usr/sbin/dovecot {
#include <abstractions/authentication>
#include <abstractions/base>
+ #include <abstractions/dovecot-common>
#include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
@@ -25,7 +26,6 @@
capability fsetid,
capability kill,
capability net_bind_service,
- capability setgid,
capability setuid,
capability sys_chroot,
@@ -34,7 +34,6 @@
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
- @{PROC}/filesystems r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
Regards,
Christian Boltz
--
> > of course, now everybody will claim how bad it is to fix bugs which
> > people rely on;
> No, I wont claim that, in fact I would argue against keeping any bug
> on which people relies on (known as "backwards compatibility")
I should have excluded you from the list of everybody...
[> Cristian Rodríguez and (>>) Dominique Leuenberger in opensuse-factory]
More information about the AppArmor
mailing list