[apparmor] [patch] /usr/lib/dovecot/auth and mysql
Christian Boltz
apparmor at cboltz.de
Sun Jan 26 23:17:55 UTC 2014
Hello,
this patch is an interesting one - /usr/lib/dovecot/auth reads the mysql
config files, which is not covered by abstractions/mysql.
Now the interesting question is where we should add this.
a) add it to abstractions/mysql "because it belongs to mysql" even if
/usr/lib/dovecot/auth is the only one that needs it
b) add it to usr.lib.dovecot.auth "because only /usr/lib/dovecot/auth
is the only one that needs it"
At the moment, I tend to b) to avoid superfluous permissions for other
programs with abstractions/mysql, but I'd like to hear your opinions ;-)
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth 2014-01-26 21:46:51
+++ profiles/apparmor.d/usr.lib.dovecot.auth 2014-01-26 22:36:47
@@ -23,6 +23,10 @@
capability setgid,
capability setuid,
+ /etc/my.cnf r,
+ /etc/my.cnf.d/ r,
+ /etc/my.cnf.d/*.cnf r,
+
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-sql.conf.ext r,
/usr/lib/dovecot/auth mr,
Regards,
Christian Boltz
--
chliEßlichle sendi emeiSt Enleut ehier mehralsdreIpo Stingsa Mtag sOd
Asesdoch et. Waserm üdentwärdenkahnimmerrattentsumÜßenw aßIrge
nDeinezUs Ahmäst ell unkvonbU chst, abensagenw iel ;-)
[Tilman Ahr in dcoulm zum Thema "Rechtschreibfehler stoeren doch nicht"]
More information about the AppArmor
mailing list