[apparmor] [patch] dovecot profiles - use abstractions/nameservice

Christian Boltz apparmor at cboltz.de
Sun Feb 2 20:31:36 UTC 2014 

Hello,

Am Sonntag, 2. Februar 2014 schrieb John Johansen:
> On 01/26/2014 03:07 PM, Christian Boltz wrote:
> > after testing the dovecot profiles on a new server, I noticed
> > /usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more
> > nameservice-
> > related permissions.
> > 
> > Therefore I propose to include abstractions/nameservice instead of
> > adding more and more files.
> 
> So I like the idea in general, but wow the abstractions/nameservice is
> expanding the permissions quite a bit. It makes me hesitant, is this
> expansion what we want, or perhaps do we want to break up the
> nameservice abstraction more?

That's a good question ;-)

Let me answer based on the rules that I'd like to replace with 
abstractions/nameservice. (The list is probably incomplete - at one 
point I decided that adding one file after the other becomes annoying.)

-  /etc/nsswitch.conf r,

Contains information how to get infos about users, network etc. - which 
can be something between reading /etc/passwd ("files") and doing a NIS 
and/or DNS query over the network.

In other words: If dovecot reads nsswitch.conf, it will probably also 
want to do an actual query. If this needs reading a file or doing a 
network query depends on the system configuration.

-  /etc/services r,

A list of ports and their name - I don't know why dovecot reads it, but 
that's not a top-secret file anyway ;-)

-  /etc/resolv.conf r,
 
I wouldn't be too surprised if dovecot wants to query a nameserver after 
reading the list of nameservers ;-)


So to sum it up: yes, abstractions/nameservice allows much more than 
reading some files in /etc/ - but OTOH if dovecot does what a typical 
application does after reading those files, it will probably need 
abstractions/nameservie (or, as an alternative, several rules covered by 
it) anyway - at least on some machines.


I won't object if we decide to split abstractions/nameservice, but I 
don't know enough about things like NIS, LDAP and Kerberos to know in 
which way a split would make sense.



BTW: I just found an interesting notice in abstractions/nameservice:

  # nscd renames and unlinks files in it's operation that clients will
  # have open
  /{,var/}run/nscd/db*  rmix,

Could it be that nscd does the same with its passwd. etc. files? That 
would explain why I need attach_disconnected in some profiles...


Regards,

Christian Boltz
-- 
> [perl -pi -e] Das erspart es einem, selber die Dateien zu kopieren:
sed hat inzwischen auch einen -i Parameter. Willkommen in 2005, David ;)
[> David Haller und Peter Wiersig in suse-linux]

More information about the AppArmor mailing list