[apparmor] [patch] usr.bin.dovecot profile

Christian Boltz apparmor at cboltz.de
Sun Jan 26 23:35:49 UTC 2014


after testing the dovecot profiles on a new server, I noticed 
/usr/sbin/dovecot needs some more permissions:
-mysql access
- execution permissions for /usr/lib/dovecot/dict and lmtp
- write access to some postfix sockets, used to
  - provide SMTP Auth via dovecot
  - deliver mails to dovecot via LMTP 
- and read access to /proc/filesystems

=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot    2014-01-26 21:48:02 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot    2014-01-26 23:18:44 +0000
@@ -15,6 +15,7 @@
 /usr/sbin/dovecot {
   #include <abstractions/authentication>
   #include <abstractions/base>
+  #include <abstractions/mysql>
   #include <abstractions/nameservice>
   #include <abstractions/ssl_certs>
   #include <abstractions/ssl_keys>
@@ -33,13 +34,16 @@
   /etc/lsb-release r,
   /etc/SuSE-release r,
   @{PROC}/@{pid}/mounts r,
+  @{PROC}/filesystems r,
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/anvil Px,
   /usr/lib/dovecot/auth Px,
   /usr/lib/dovecot/config Px,
+  /usr/lib/dovecot/dict Px,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,
+  /usr/lib/dovecot/lmtp Px,
   /usr/lib/dovecot/log Px,
   /usr/lib/dovecot/managesieve Px,
   /usr/lib/dovecot/managesieve-login Pxmr,
@@ -50,6 +54,8 @@
   /usr/sbin/dovecot mrix,
   /var/lib/dovecot/ w,
   /var/lib/dovecot/* rwkl,
+  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/dovecot-lmtp w,
   /{,var/}run/dovecot/ rw,
   /{,var/}run/dovecot/** rw,
   link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,


Christian Boltz
Sorry, mit java kenne ich mich gar nicht aus, das ist mir einfach zu
unportabel.                           [Thorsten Kukuk in suse-linux]

More information about the AppArmor mailing list