[apparmor] [patch 3/3] dovecot profiles: update usr.sbin.dovecot profile for dovecot 2.x

Sun Jan 19 17:03:28 UTC 2014

Hello,

the usr.sbin.dovecot profile needs several updates for dovecot 2.x, 
including
- capability dac_override and kill
- Px for various binaries in /usr/lib/dovecot/

The patch also adds a nice copyright header (I hope I got the bzr log 
right ;-)


=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'

--- profiles/apparmor.d/usr.sbin.dovecot        2013-01-02 23:34:38 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot        2014-01-19 17:00:31 +0000
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees at ubuntu.com>
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2009-2013 Canonical Ltd.
+#    Copyright (C) 2011-2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
 
 #include <tunables/global>
+
 /usr/sbin/dovecot {
   #include <abstractions/authentication>
   #include <abstractions/base>
@@ -9,29 +20,36 @@
   #include <abstractions/ssl_keys>
 
   capability chown,
+  capability dac_override,
+  capability fsetid,
+  capability kill,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,
-  capability fsetid,
 
   /etc/dovecot/** r,
   /etc/mtab r,
   /etc/lsb-release r,
   /etc/SuSE-release r,
   @{PROC}/@{pid}/mounts r,
+  /usr/bin/doveconf rix,
+  /usr/lib/dovecot/anvil Px,
+  /usr/lib/dovecot/auth Px,
+  /usr/lib/dovecot/config Px,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,
+  /usr/lib/dovecot/log Px,
+  /usr/lib/dovecot/managesieve Px,
+  /usr/lib/dovecot/managesieve-login Pxmr,
   /usr/lib/dovecot/pop3 Px,
   /usr/lib/dovecot/pop3-login Pxmr,
-  # temporarily commented out while testing
-  #/usr/lib/dovecot/managesieve Px,
-  /usr/lib/dovecot/managesieve-login Pxmr,
-  /usr/lib/dovecot/ssl-build-param ixr,
-  /usr/sbin/dovecot mr,
+  /usr/lib/dovecot/ssl-build-param rix,
+  /usr/lib/dovecot/ssl-params Px,
+  /usr/sbin/dovecot mrix,
   /var/lib/dovecot/ w,
-  /var/lib/dovecot/* krw,
+  /var/lib/dovecot/* rwkl,
   /{,var/}run/dovecot/ rw,
   /{,var/}run/dovecot/** rw,
   link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,



Regards,

Christian Boltz
-- 
[Linux installieren]  Ja, aber, wie war es denn nun - am Morgen nach der
Installation?    Soviel dazu: Erschöpft, aber beruhigt eingeschlafen. Am
nächsten Morgen aufgewacht, Rechner eingeschaltet - geweint. Nein, nicht
vor Enttäuschung - vor Glück!      [Bernd Graff auf www.sueddeutsche.de]


