[apparmor] [patch] update and cleanup usr.sbin.dovecot profile
John Johansen
john.johansen at canonical.com
Mon Dec 22 13:31:42 UTC 2014
On 12/03/2014 01:44 PM, Christian Boltz wrote:
> Hello,
>
> this patch adds #include <abstractions/dovecot-common> to the
> usr.sbin.dovecot profile. Effectively this adds "deny capability
> block_suspend," which is the only missing part from
> https://bugs.launchpad.net/apparmor/+bug/1296667/
>
> It also removes "capability setgid," (covered by
> abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of
> abstractions/base).
>
sorry I missed this one
Acked-by: John Johansen <john.johansen at canonical.com>
>
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot 2014-09-03 19:45:56 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot 2014-12-03 21:39:41 +0000
> @@ -15,6 +15,7 @@
> /usr/sbin/dovecot {
> #include <abstractions/authentication>
> #include <abstractions/base>
> + #include <abstractions/dovecot-common>
> #include <abstractions/mysql>
> #include <abstractions/nameservice>
> #include <abstractions/ssl_certs>
> @@ -25,7 +26,6 @@
> capability fsetid,
> capability kill,
> capability net_bind_service,
> - capability setgid,
> capability setuid,
> capability sys_chroot,
>
> @@ -34,7 +34,6 @@
> /etc/lsb-release r,
> /etc/SuSE-release r,
> @{PROC}/@{pid}/mounts r,
> - @{PROC}/filesystems r,
> /usr/bin/doveconf rix,
> /usr/lib/dovecot/anvil Px,
> /usr/lib/dovecot/auth Px,
>
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list