[apparmor] [patch] Update dovecot profiles

[Christian Boltz]

Hello,

the dovecot/auth profile needs access to /run/dovecot/anvil-auth-penalty
and /var/spool/postfix/private/auth.

The dovecot/log profile needs the attach_disconnected flag.

Refences: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131


I propose this patch for trunk, 2.10 and 2.9.


BTW: Does it make sense to do the /{var/,}run/ dance forever, or should
we just use /run/ for new additions nowadays? (The log from the bugreport
contained just /run/.)



[ dovecot-lp1652131.diff ]

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth    2016-10-05 18:46:03 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth    2016-12-25 11:54:00 +0000
@@ -39,6 +39,9 @@
 
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
   /{var/,}run/dovecot/stats-user rw,
+  /{var/,}run/dovecot/anvil-auth-penalty rw,
+
+  /var/spool/postfix/private/auth w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.log'
--- profiles/apparmor.d/usr.lib.dovecot.log     2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.log     2016-12-25 11:54:42 +0000
@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-/usr/lib/dovecot/log {
+/usr/lib/dovecot/log flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
 


Regards,

Christian Boltz
-- 
F: Word? Was ist das?
A: Das ist wohl das Programm, das ursrpünglich einmal Text heißen
   sollte. Da es aber für längere Dokumente ungeeignet ist, wurde es
   umbenannt. Inzwischen kann es aber bereits 97 Wörter verwalten.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161225/a442af98/attachment.pgp>