[apparmor] [patch] dovecot profiles - use abstractions/nameservice
John Johansen
john.johansen at canonical.com
Sun Feb 2 10:06:36 UTC 2014
On 01/26/2014 03:07 PM, Christian Boltz wrote:
> Hello,
>
> after testing the dovecot profiles on a new server, I noticed
> /usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more nameservice-
> related permissions.
>
> Therefore I propose to include abstractions/nameservice instead of
> adding more and more files.
>
>
So I like the idea in general, but wow the abstractions/nameservice is
expanding the permissions quite a bit. It makes me hesitant, is this
expansion what we want, or perhaps do we want to break up the nameservice
abstraction more?
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.dict'
> --- profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-26 21:46:51
> +++ profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-26 22:36:59
> @@ -14,6 +14,7 @@
> /usr/lib/dovecot/dict {
> #include <abstractions/base>
> #include <abstractions/mysql>
> + #include <abstractions/nameservice>
>
> capability setgid,
> capability setuid,
> @@ -22,8 +23,6 @@
>
> /etc/dovecot/dovecot-database.conf.ext r,
> /etc/dovecot/dovecot-dict-sql.conf.ext r,
> - /etc/nsswitch.conf r,
> - /etc/services r,
> /usr/lib/dovecot/dict mr,
>
> # Site-specific additions and overrides. See local/README for details.
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
> --- profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-26 21:46:51
> +++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-26 22:37:10
> @@ -14,6 +14,7 @@
>
> /usr/lib/dovecot/lmtp {
> #include <abstractions/base>
> + #include <abstractions/nameservice>
>
> deny capability block_suspend,
>
> @@ -24,7 +25,6 @@
> @{DOVECOT_MAILSTORE}/ rw,
> @{DOVECOT_MAILSTORE}/** rwkl,
>
> - /etc/resolv.conf r,
> /proc/*/mounts r,
> /tmp/dovecot.lmtp.* rw,
> /usr/lib/dovecot/lmtp mr,
>
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list