[apparmor] [patch 2/3] dovecot profiles: add profiles for new dovecot 2.x binaries
Christian Boltz
apparmor at cboltz.de
Sun Jan 19 16:58:35 UTC 2014
Hello,
dovecot 2.x comes with several new binaries in /usr/lib/dovecot.
This patch adds profiles for
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/ssl-params
References: https://bugzilla.novell.com/show_bug.cgi?id=851984
=== added file 'profiles/apparmor.d/usr.lib.dovecot.anvil'
--- profiles/apparmor.d/usr.lib.dovecot.anvil 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.anvil 2014-01-19 16:08:30 +0000
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/anvil {
+ #include <abstractions/base>
+
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+
+ /usr/lib/dovecot/anvil mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.anvil>
+}
=== added file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth 2014-01-19 16:08:30 +0000
@@ -0,0 +1,38 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/auth {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+
+ deny capability block_suspend,
+
+ capability audit_write,
+ capability setgid,
+ capability setuid,
+
+ /etc/dovecot/dovecot-database.conf.ext r,
+ /etc/dovecot/dovecot-sql.conf.ext r,
+ /usr/lib/dovecot/auth mr,
+
+ # kerberos replay cache
+ /var/tmp/imap_* rw,
+ /var/tmp/pop_* rw,
+ /var/tmp/sieve_* rw,
+ /var/tmp/smtp_* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.auth>
+}
=== added file 'profiles/apparmor.d/usr.lib.dovecot.config'
--- profiles/apparmor.d/usr.lib.dovecot.config 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.config 2014-01-19 16:08:30 +0000
@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/config {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_keys>
+
+ deny capability block_suspend,
+
+ capability dac_override,
+ capability setgid,
+
+
+ /etc/dovecot/** r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/config mr,
+ /usr/lib/dovecot/managesieve Px,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.config>
+}
=== added file 'profiles/apparmor.d/usr.lib.dovecot.dict'
--- profiles/apparmor.d/usr.lib.dovecot.dict 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-19 16:08:30 +0000
@@ -0,0 +1,31 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/dict {
+ #include <abstractions/base>
+ #include <abstractions/mysql>
+
+ capability setgid,
+ capability setuid,
+
+ network inet stream,
+
+ /etc/dovecot/dovecot-database.conf.ext r,
+ /etc/dovecot/dovecot-dict-sql.conf.ext r,
+ /etc/nsswitch.conf r,
+ /etc/services r,
+ /usr/lib/dovecot/dict mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.dict>
+}
=== added file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-lda'
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2014-01-19 16:08:30 +0000
@@ -0,0 +1,33 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/dovecot-lda {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability setgid,
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ /etc/dovecot/** r,
+ /proc/*/mounts r,
+ /{var/,}run/dovecot/mounts r,
+ /usr/bin/doveconf mrix,
+ /usr/lib/dovecot/dovecot-lda mrix,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.dovecot-lda>
+}
=== added file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
--- profiles/apparmor.d/usr.lib.dovecot.lmtp 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-19 16:08:30 +0000
@@ -0,0 +1,35 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/lmtp {
+ #include <abstractions/base>
+
+ deny capability block_suspend,
+
+ capability dac_override,
+ capability setgid,
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ /etc/resolv.conf r,
+ /proc/*/mounts r,
+ /tmp/dovecot.lmtp.* rw,
+ /usr/lib/dovecot/lmtp mr,
+ /{var/,}run/dovecot/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.lmtp>
+}
=== added file 'profiles/apparmor.d/usr.lib.dovecot.log'
--- profiles/apparmor.d/usr.lib.dovecot.log 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.log 2014-01-19 16:08:30 +0000
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/log {
+ #include <abstractions/base>
+
+ deny capability block_suspend,
+
+ capability setgid,
+
+ /usr/lib/dovecot/log mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.log>
+}
=== added file 'profiles/apparmor.d/usr.lib.dovecot.managesieve'
--- profiles/apparmor.d/usr.lib.dovecot.managesieve 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve 2014-01-19 16:08:30 +0000
@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/managesieve {
+ #include <abstractions/base>
+
+ /etc/dovecot/** r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/managesieve mrix,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.managesieve>
+}
=== added file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params'
--- profiles/apparmor.d/usr.lib.dovecot.ssl-params 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.ssl-params 2014-01-19 16:08:30 +0000
@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/ssl-params {
+ #include <abstractions/base>
+
+ deny capability block_suspend,
+
+ capability setgid,
+
+ /usr/lib/dovecot/ssl-params mr,
+ /var/lib/dovecot/ssl-parameters.dat rw,
+ /var/lib/dovecot/ssl-parameters.dat.tmp rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.ssl-params>
+}
Regards,
Christian Boltz
--
Naja, wer in der bekannten närrischen Zeit an jemanden in einer der
Karnevalsgegenden mailt, muß damit rechnen, daß seine Mail kaum vor
Freitag beantwortet wird. Vorher sind die Leute da kaum wieder nüchtern
und ansprechbar. ;)) [Martin Falley in suse-linux]
More information about the AppArmor
mailing list