[apparmor] [patch] profiles: add dovecot-common abstraction
Christian Boltz
apparmor at cboltz.de
Tue Jul 1 21:06:06 UTC 2014
Hello,
Am Freitag, 27. Juni 2014 schrieb Steve Beattie:
> Here's the dovecot-common abstraction as well as the patches to
> the profiles for dovecot's helper binaries to make use of it. The
> important addition is the ability for the dovecot master process to
> send signals to the helpers.
I know this was commited already (and it looks good in general), but let
me ask nevertheless:
> Index: b/profiles/apparmor.d/abstractions/dovecot-common
> ===================================================================
> --- /dev/null
> +++ b/profiles/apparmor.d/abstractions/dovecot-common
...
> + capability setgid,
> +
> + deny capability block_suspend,
> +
> + # dovecot's master can send us signals
> + signal receive peer=/usr/sbin/dovecot,
> +
> + /{var/,}run/dovecot/config rw,
What's the reason for the "/{var/,}run/dovecot/config rw," rule?
None of the dovecot profiles did contain this rule before...
Regards,
Christian Boltz
--
So wie yast2 [auf der Konsole] zur Zeit aussieht, ist es das Outlook
unter den Konsolenprogrammen: Nämlich die alleinseligmachende, fortge-
setzte Normverletzung unter Vorgabe guter Motive. [Ratti in suse-linux]
More information about the AppArmor
mailing list