[apparmor] [patch] dovecot profiles - use abstractions/nameservice
Christian Boltz
apparmor at cboltz.de
Sun Jan 26 23:07:05 UTC 2014
Hello,
after testing the dovecot profiles on a new server, I noticed
/usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more nameservice-
related permissions.
Therefore I propose to include abstractions/nameservice instead of
adding more and more files.
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.dict'
--- profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-26 21:46:51
+++ profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-26 22:36:59
@@ -14,6 +14,7 @@
/usr/lib/dovecot/dict {
#include <abstractions/base>
#include <abstractions/mysql>
+ #include <abstractions/nameservice>
capability setgid,
capability setuid,
@@ -22,8 +23,6 @@
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-dict-sql.conf.ext r,
- /etc/nsswitch.conf r,
- /etc/services r,
/usr/lib/dovecot/dict mr,
# Site-specific additions and overrides. See local/README for details.
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
--- profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-26 21:46:51
+++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-26 22:37:10
@@ -14,6 +14,7 @@
/usr/lib/dovecot/lmtp {
#include <abstractions/base>
+ #include <abstractions/nameservice>
deny capability block_suspend,
@@ -24,7 +25,6 @@
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
- /etc/resolv.conf r,
/proc/*/mounts r,
/tmp/dovecot.lmtp.* rw,
/usr/lib/dovecot/lmtp mr,
Regards,
Christian Boltz
--
Nee, nee, nee, so einfach geht das nicht. Nee, nee, nee. ;) EOT darf man
schon mal ausrufen, aber nicht, wenn die Diskussion gerade an Fahrt
gewinnt! Da denken doch nur alle, dass es sich um eine EOT-Weichwurst am
anderen Ende handeln muss. ;)) [Lars Müller in opensuse-de]
More information about the AppArmor
mailing list