[apparmor] [patch] usr.bin.dovecot profile
John Johansen
john.johansen at canonical.com
Sun Feb 2 10:02:29 UTC 2014
On 01/26/2014 03:35 PM, Christian Boltz wrote:
> Hello,
>
> after testing the dovecot profiles on a new server, I noticed
> /usr/sbin/dovecot needs some more permissions:
> -mysql access
> - execution permissions for /usr/lib/dovecot/dict and lmtp
> - write access to some postfix sockets, used to
> - provide SMTP Auth via dovecot
> - deliver mails to dovecot via LMTP
> - and read access to /proc/filesystems
>
>
hrmmm looks okay
Acked-by: John Johansen <john.johansen at canonical.com>
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 21:48:02 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 23:18:44 +0000
> @@ -15,6 +15,7 @@
> /usr/sbin/dovecot {
> #include <abstractions/authentication>
> #include <abstractions/base>
> + #include <abstractions/mysql>
> #include <abstractions/nameservice>
> #include <abstractions/ssl_certs>
> #include <abstractions/ssl_keys>
> @@ -33,13 +34,16 @@
> /etc/lsb-release r,
> /etc/SuSE-release r,
> @{PROC}/@{pid}/mounts r,
> + @{PROC}/filesystems r,
> /usr/bin/doveconf rix,
> /usr/lib/dovecot/anvil Px,
> /usr/lib/dovecot/auth Px,
> /usr/lib/dovecot/config Px,
> + /usr/lib/dovecot/dict Px,
> /usr/lib/dovecot/dovecot-auth Pxmr,
> /usr/lib/dovecot/imap Pxmr,
> /usr/lib/dovecot/imap-login Pxmr,
> + /usr/lib/dovecot/lmtp Px,
> /usr/lib/dovecot/log Px,
> /usr/lib/dovecot/managesieve Px,
> /usr/lib/dovecot/managesieve-login Pxmr,
> @@ -50,6 +54,8 @@
> /usr/sbin/dovecot mrix,
> /var/lib/dovecot/ w,
> /var/lib/dovecot/* rwkl,
> + /var/spool/postfix/private/auth w,
> + /var/spool/postfix/private/dovecot-lmtp w,
> /{,var/}run/dovecot/ rw,
> /{,var/}run/dovecot/** rw,
> link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
>
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list