[apparmor] [patch 1/3] dovecot profiles: introduce tunables/dovecot
Christian Boltz
apparmor at cboltz.de
Thu Jan 23 14:37:24 UTC 2014
Hello,
Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
> On 01/19/2014 08:58 AM, Christian Boltz wrote:
> > this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE})
> > and replaces the mail storage location in various dovecot-related
> > profiles with this variable.
> >
> > It also adds nice copyright headers (I hope I got the bzr log right
> > ;-)
> a few comments inline
>
> > === added file 'profiles/apparmor.d/tunables/dovecot'
> > --- profiles/apparmor.d/tunables/dovecot 1970-01-01 00:00:00 +0000
> > +++ profiles/apparmor.d/tunables/dovecot 2014-01-19 16:08:06
...
> > +# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
> > +# where dovecot is allowed to store and read mails
> > +#
> > +# The default value is quite broad to avoid breaking existing
> > setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain the
> > directory +# you use, and remove everything else.
> > +
> > +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/
> > /var/vmail/ /var/mail/ /var/spool/mail/
> > === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> > --- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26 23:12:10
> > +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-19
...
> > - @{HOME} r,
> > - @{HOME}/Maildir/ rw,
> > - @{HOME}/Maildir/** klrw,
> > - @{HOME}/Mail/ rw,
> > - @{HOME}/Mail/* klrw,
> > - @{HOME}/Mail/.imap/** klrw,
> > - @{HOME}/mail/ rw,
> > - @{HOME}/mail/* klrw,
> > - @{HOME}/mail/.imap/** klrw,
> > + @{DOVECOT_MAILSTORE}/ rw,
> > + @{DOVECOT_MAILSTORE}/** rwkl,
>
> so this is slightly wider perms than
>
> > - @{HOME}/{m,M}ail/* klrw,
> > - @{HOME}/{m,M}ail/.imap/** klrw,
>
> is this what we want?
The idea of @{DOVECOT_MAILSTORE} is to allow the directories that were
allowed in the old profile, and getting all profiles in sync so that for
example IMAP and POP3 allow access to the same directory.
I know the list got quite long - but that's what you get from checking
the current dovecot-related profiles. (Maybe also a location from a
bugreport on bnc sneaked in, I'd have to check that ;-)
I'd happily shorten the list to just /var/vmail/, but I'm sure users
would kill me for doing it ;-)
The perfect solution would be to auto-generate @{DOVECOT_MAILSTORE} from
the dovecot config, but unfortunately that isn't as easy as it looks.
(Proposals and scripts welcome ;-)
> > + @{HOME} r, # ???
>
> why the ???, not sure if this rule is required
above, you'll find
> > - @{HOME} r,
I'm also not sure if it's required (that's why I added "???"), but
wanted to keep it for backwards compability (there must be a reason why
it's there ;-)
(If you are sure we can remove it, this should be a separate patch
titled "break the profile" or so ;-)
> > /usr/lib/dovecot/imap mr,
> >
> > - /var/mail/* klrw,
> > - /var/spool/mail/* klrw,
>
> again a slight widening of permissions
Yes, see above.
> > === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3'
> > --- profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-26 23:12:10
> > +0000 +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-19
> > 16:08:30 +0000 @@ -1,6 +1,18 @@
...
> > - @{HOME} r,
> > - @{HOME}/mail/* klrw,
> > - @{HOME}/mail/.imap/** klrw,
> > - @{HOME}/Maildir/ rw,
> > - @{HOME}/Maildir/** klrw,
> > + @{DOVECOT_MAILSTORE}/ rw,
> > + @{DOVECOT_MAILSTORE}/** rwkl,
> > +
> > + @{HOME} r, # ???
>
> again the change in allowed permissions
again see above ;-)
Regards,
Christian Boltz
--
>how to use the "-b " parameter ?
You... type it in.
[> Jun Hu and Jan Engelhardt in opensuse-packaging]
More information about the AppArmor
mailing list