[apparmor] [patch] dovecot profile update
Christian Boltz
apparmor at cboltz.de
Mon Jul 7 20:17:58 UTC 2014
Hello,
I have some updates for the dovecot profiles, based on a patch from
Christian Wittmer <chris at computersalat.de> (he sent it as SR for the
openSUSE package, which uses a slightly older version of the dovecot
profiles)
Fix problems with dovecot and managesieve:
* usr.lib.dovecot.managesieve-login: network inet6 stream
* usr.lib.dovecot.managesieve:
+#include <tunables/dovecot>
/usr/lib/dovecot/managesieve {
+ capability setgid, # covered by abstractions/dovecot-common, therefore not part of this patch
+ capability setuid,
+ network inet stream,
+ network inet6 stream,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
* add #include <abstractions/wutmp> to usr.lib.dovecot.auth
apparmor="DENIED" operation="open" parent=18310 \
profile="/usr/lib/dovecot/auth" name="/var/run/utmp" pid=20939 \
comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
He also proposes to add /srv/maildirs to tunables/dovecot (intentionally
not included in this patch for now) - what are your opinions on this?
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth 2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth 2014-07-07 19:55:54 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -16,6 +17,7 @@
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
+ #include <abstractions/wutmp>
#include <abstractions/dovecot-common>
capability audit_write,
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.managesieve'
--- profiles/apparmor.d/usr.lib.dovecot.managesieve 2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve 2014-07-07 20:00:51 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -10,11 +11,20 @@
# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
/usr/lib/dovecot/managesieve {
#include <abstractions/base>
#include <abstractions/dovecot-common>
+ capability setuid,
+
+ network inet stream,
+ network inet6 stream,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/managesieve mrix,
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.managesieve-login'
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-07-07 19:54:54 +0000
@@ -3,6 +3,7 @@
# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
# Copyright (C) 2009-2011 Canonical Ltd.
# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -23,6 +24,7 @@
capability sys_chroot,
network inet stream,
+ network inet6 stream,
/usr/lib/dovecot/managesieve-login mr,
/{,var/}run/dovecot/login/ r,
Regards,
Christian Boltz
--
I have not been involved in php internals development for a long while
but I can safely assume that the politics surrounding this change must
have been as delightful as a brick through the window :-D
[Cristian Rodríguez in opensuse-factory]
More information about the AppArmor
mailing list