[apparmor] [patch] dovecot profile update

[Steve Beattie]

On Mon, Jul 07, 2014 at 10:17:58PM +0200, Christian Boltz wrote:
> I have some updates for the dovecot profiles, based on a patch from 
> Christian Wittmer <chris at computersalat.de> (he sent it as SR for the 
> openSUSE package, which uses a slightly older version of the dovecot
> profiles)
> 
> Fix problems with dovecot and managesieve:
> * usr.lib.dovecot.managesieve-login: network inet6 stream
> * usr.lib.dovecot.managesieve:
>   +#include <tunables/dovecot>
>     /usr/lib/dovecot/managesieve {
>   +  capability setgid,   # covered by abstractions/dovecot-common, therefore not part of this patch
>   +  capability setuid,
>   +  network inet stream,
>   +  network inet6 stream,
>   +  @{DOVECOT_MAILSTORE}/ rw,
>   +  @{DOVECOT_MAILSTORE}/** rwkl,
> * add #include <abstractions/wutmp> to usr.lib.dovecot.auth
>    apparmor="DENIED" operation="open" parent=18310 \
>    profile="/usr/lib/dovecot/auth" name="/var/run/utmp" pid=20939 \
>    comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

(Oddly, dovecot-auth, which I think dates from dovecot 1.0, already has
the wutmp abstraction, but not the dovecot 2.0 auth profile.)

This all looks good to me. Acked-by: Steve Beattie <steve at nxnw.org>

> He also proposes to add /srv/maildirs to tunables/dovecot (intentionally
> not included in this patch for now) - what are your opinions on this?

I'm less inclined to accept this, unless this was the default
configuration for dovecot either upstream or in the packaging by
linux distributions. (That said, I do like the idea of it as a default
configuration for dovecot.)

Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140707/49ee91da/attachment.pgp>