[apparmor] [patch] usr.bin.dovecot profile
Christian Boltz
apparmor at cboltz.de
Sun Jan 26 23:35:49 UTC 2014
Hello,
after testing the dovecot profiles on a new server, I noticed
/usr/sbin/dovecot needs some more permissions:
-mysql access
- execution permissions for /usr/lib/dovecot/dict and lmtp
- write access to some postfix sockets, used to
- provide SMTP Auth via dovecot
- deliver mails to dovecot via LMTP
- and read access to /proc/filesystems
=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 21:48:02 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 23:18:44 +0000
@@ -15,6 +15,7 @@
/usr/sbin/dovecot {
#include <abstractions/authentication>
#include <abstractions/base>
+ #include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
@@ -33,13 +34,16 @@
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
+ @{PROC}/filesystems r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
+ /usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
@@ -50,6 +54,8 @@
/usr/sbin/dovecot mrix,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/auth w,
+ /var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
Regards,
Christian Boltz
--
Sorry, mit java kenne ich mich gar nicht aus, das ist mir einfach zu
unportabel. [Thorsten Kukuk in suse-linux]
More information about the AppArmor
mailing list