[apparmor] [patch] /usr/lib/dovecot/auth and mysql

Christian Boltz apparmor at cboltz.de
Sun Jan 26 23:17:55 UTC 2014


this patch is an interesting one - /usr/lib/dovecot/auth reads the mysql 
config files, which is not covered by abstractions/mysql.

Now the interesting question is where we should add this.

a) add it to abstractions/mysql "because it belongs to mysql" even if 
   /usr/lib/dovecot/auth is the only one that needs it 

b) add it to usr.lib.dovecot.auth "because only /usr/lib/dovecot/auth
   is the only one that needs it"

At the moment, I tend to b) to avoid superfluous permissions for other 
programs with abstractions/mysql, but I'd like to hear your opinions ;-)

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth    2014-01-26 21:46:51
+++ profiles/apparmor.d/usr.lib.dovecot.auth    2014-01-26 22:36:47
@@ -23,6 +23,10 @@
   capability setgid,
   capability setuid,
+  /etc/my.cnf r,
+  /etc/my.cnf.d/ r,
+  /etc/my.cnf.d/*.cnf r,
   /etc/dovecot/dovecot-database.conf.ext r,
   /etc/dovecot/dovecot-sql.conf.ext r,
   /usr/lib/dovecot/auth mr,


Christian Boltz
chliEßlichle sendi emeiSt Enleut ehier mehralsdreIpo Stingsa Mtag sOd
Asesdoch et. Waserm üdentwärdenkahnimmerrattentsumÜßenw aßIrge
nDeinezUs Ahmäst ell unkvonbU chst, abensagenw iel ;-) 
[Tilman Ahr in dcoulm zum Thema "Rechtschreibfehler stoeren doch nicht"]

More information about the AppArmor mailing list