[apparmor] [patch 3/3] dovecot profiles: update usr.sbin.dovecot profile for dovecot 2.x
John Johansen
john.johansen at canonical.com
Thu Jan 23 12:21:08 UTC 2014
On 01/19/2014 09:03 AM, Christian Boltz wrote:
> Hello,
>
> the usr.sbin.dovecot profile needs several updates for dovecot 2.x,
> including
> - capability dac_override and kill
> - Px for various binaries in /usr/lib/dovecot/
>
> The patch also adds a nice copyright header (I hope I got the bzr log
> right ;-)
>
Looks alright on a quick pass through, again untried but
Acked-by: John Johansen <john.johansen at canonical.com>
>
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot 2013-01-02 23:34:38 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-19 17:00:31 +0000
> @@ -1,6 +1,17 @@
> -# Author: Kees Cook <kees at ubuntu.com>
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2009-2013 Canonical Ltd.
> +# Copyright (C) 2011-2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
>
> #include <tunables/global>
> +
> /usr/sbin/dovecot {
> #include <abstractions/authentication>
> #include <abstractions/base>
> @@ -9,29 +20,36 @@
> #include <abstractions/ssl_keys>
>
> capability chown,
> + capability dac_override,
> + capability fsetid,
> + capability kill,
> capability net_bind_service,
> capability setgid,
> capability setuid,
> capability sys_chroot,
> - capability fsetid,
>
> /etc/dovecot/** r,
> /etc/mtab r,
> /etc/lsb-release r,
> /etc/SuSE-release r,
> @{PROC}/@{pid}/mounts r,
> + /usr/bin/doveconf rix,
> + /usr/lib/dovecot/anvil Px,
> + /usr/lib/dovecot/auth Px,
> + /usr/lib/dovecot/config Px,
> /usr/lib/dovecot/dovecot-auth Pxmr,
> /usr/lib/dovecot/imap Pxmr,
> /usr/lib/dovecot/imap-login Pxmr,
> + /usr/lib/dovecot/log Px,
> + /usr/lib/dovecot/managesieve Px,
> + /usr/lib/dovecot/managesieve-login Pxmr,
> /usr/lib/dovecot/pop3 Px,
> /usr/lib/dovecot/pop3-login Pxmr,
> - # temporarily commented out while testing
> - #/usr/lib/dovecot/managesieve Px,
> - /usr/lib/dovecot/managesieve-login Pxmr,
> - /usr/lib/dovecot/ssl-build-param ixr,
> - /usr/sbin/dovecot mr,
> + /usr/lib/dovecot/ssl-build-param rix,
> + /usr/lib/dovecot/ssl-params Px,
> + /usr/sbin/dovecot mrix,
> /var/lib/dovecot/ w,
> - /var/lib/dovecot/* krw,
> + /var/lib/dovecot/* rwkl,
> /{,var/}run/dovecot/ rw,
> /{,var/}run/dovecot/** rw,
> link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
>
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list