[apparmor] [patch] dovecot profile improvements

[Christian Boltz]

Hello,

Darix reported that the dovecot profiles need some additions:
- usr.lib.dovecot.auth needs /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
- usr.lib.dovecot.imap requests block_suspend, which I propose to deny as usual


Raw log lines from Darix:

type=AVC msg=audit(1411677636.812:309): apparmor="DENIED" operation="capable" parent=3419 profile="/usr/lib/dovecot/imap" pid=3432 comm="imap" pid=3432 comm="imap" capability=36  capname="block_suspend"

type=AVC msg=audit(1411677633.572:306): apparmor="DENIED" operation="mknod" parent=3419 profile="/usr/lib/dovecot/auth" name="/var/run/dovecot/auth-token-secret.dat.tmp" pid=3429 comm="auth" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

type=AVC msg=audit(1411677633.572:305): apparmor="DENIED" operation="open" parent=3419 profile="/usr/lib/dovecot/auth" name="/var/run/dovecot/auth-token-secret.dat" pid=3429 comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth    2014-08-11 21:16:22 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth    2014-09-25 20:47:19 +0000
@@ -36,6 +36,8 @@
   /var/tmp/sieve_* rw,
   /var/tmp/smtp_* rw,
 
+  /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
+
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>
 }

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap    2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap    2014-09-25 20:45:09 +0000
@@ -19,6 +19,7 @@
   #include <abstractions/dovecot-common>
 
   capability setuid,
+  deny capability block_suspend,
 
   @{DOVECOT_MAILSTORE}/ rw,
   @{DOVECOT_MAILSTORE}/** rwkl,




Regards,

Christian Boltz
-- 
You took a sledge hammer to a meeting with the school principle and
found him carring a 9mm.  :^) [Patrick Shanahan in opensuse-factory]