[apparmor] [patch] dovecot profiles - use abstractions/nameservice
Christian Boltz
apparmor at cboltz.de
Sun Feb 2 20:31:36 UTC 2014
Hello,
Am Sonntag, 2. Februar 2014 schrieb John Johansen:
> On 01/26/2014 03:07 PM, Christian Boltz wrote:
> > after testing the dovecot profiles on a new server, I noticed
> > /usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more
> > nameservice-
> > related permissions.
> >
> > Therefore I propose to include abstractions/nameservice instead of
> > adding more and more files.
>
> So I like the idea in general, but wow the abstractions/nameservice is
> expanding the permissions quite a bit. It makes me hesitant, is this
> expansion what we want, or perhaps do we want to break up the
> nameservice abstraction more?
That's a good question ;-)
Let me answer based on the rules that I'd like to replace with
abstractions/nameservice. (The list is probably incomplete - at one
point I decided that adding one file after the other becomes annoying.)
- /etc/nsswitch.conf r,
Contains information how to get infos about users, network etc. - which
can be something between reading /etc/passwd ("files") and doing a NIS
and/or DNS query over the network.
In other words: If dovecot reads nsswitch.conf, it will probably also
want to do an actual query. If this needs reading a file or doing a
network query depends on the system configuration.
- /etc/services r,
A list of ports and their name - I don't know why dovecot reads it, but
that's not a top-secret file anyway ;-)
- /etc/resolv.conf r,
I wouldn't be too surprised if dovecot wants to query a nameserver after
reading the list of nameservers ;-)
So to sum it up: yes, abstractions/nameservice allows much more than
reading some files in /etc/ - but OTOH if dovecot does what a typical
application does after reading those files, it will probably need
abstractions/nameservie (or, as an alternative, several rules covered by
it) anyway - at least on some machines.
I won't object if we decide to split abstractions/nameservice, but I
don't know enough about things like NIS, LDAP and Kerberos to know in
which way a split would make sense.
BTW: I just found an interesting notice in abstractions/nameservice:
# nscd renames and unlinks files in it's operation that clients will
# have open
/{,var/}run/nscd/db* rmix,
Could it be that nscd does the same with its passwd. etc. files? That
would explain why I need attach_disconnected in some profiles...
Regards,
Christian Boltz
--
> [perl -pi -e] Das erspart es einem, selber die Dateien zu kopieren:
sed hat inzwischen auch einen -i Parameter. Willkommen in 2005, David ;)
[> David Haller und Peter Wiersig in suse-linux]
More information about the AppArmor
mailing list