[apparmor] [patch] dovecot profile improvements

Seth Arnold seth.arnold at canonical.com
Thu Sep 25 22:02:38 UTC 2014 

On Thu, Sep 25, 2014 at 11:07:21PM +0200, Christian Boltz wrote:
> Hello,
> 
> Darix reported that the dovecot profiles need some additions:
> - usr.lib.dovecot.auth needs /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
> - usr.lib.dovecot.imap requests block_suspend, which I propose to deny as usual
> 

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> 
> Raw log lines from Darix:
> 
> type=AVC msg=audit(1411677636.812:309): apparmor="DENIED" operation="capable" parent=3419 profile="/usr/lib/dovecot/imap" pid=3432 comm="imap" pid=3432 comm="imap" capability=36  capname="block_suspend"
> 
> type=AVC msg=audit(1411677633.572:306): apparmor="DENIED" operation="mknod" parent=3419 profile="/usr/lib/dovecot/auth" name="/var/run/dovecot/auth-token-secret.dat.tmp" pid=3429 comm="auth" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
> 
> type=AVC msg=audit(1411677633.572:305): apparmor="DENIED" operation="open" parent=3419 profile="/usr/lib/dovecot/auth" name="/var/run/dovecot/auth-token-secret.dat" pid=3429 comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 
> 
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
> --- profiles/apparmor.d/usr.lib.dovecot.auth    2014-08-11 21:16:22 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.auth    2014-09-25 20:47:19 +0000
> @@ -36,6 +36,8 @@
>    /var/tmp/sieve_* rw,
>    /var/tmp/smtp_* rw,
>  
> +  /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
> +
>    # Site-specific additions and overrides. See local/README for details.
>    #include <local/usr.lib.dovecot.auth>
>  }
> 
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> --- profiles/apparmor.d/usr.lib.dovecot.imap    2014-06-27 19:14:53 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.imap    2014-09-25 20:45:09 +0000
> @@ -19,6 +19,7 @@
>    #include <abstractions/dovecot-common>
>  
>    capability setuid,
> +  deny capability block_suspend,
>  
>    @{DOVECOT_MAILSTORE}/ rw,
>    @{DOVECOT_MAILSTORE}/** rwkl,
> 
> 
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> You took a sledge hammer to a meeting with the school principle and
> found him carring a 9mm.  :^) [Patrick Shanahan in opensuse-factory]
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140925/1c6dfa85/attachment.pgp>

More information about the AppArmor mailing list