[apparmor] [patch] Update dovecot profiles

Christian Boltz apparmor at cboltz.de
Tue Dec 27 16:44:35 UTC 2016


Am Montag, 26. Dezember 2016, 17:35:42 CET schrieb Seth Arnold:
> On Sun, Dec 25, 2016 at 01:03:49PM +0100, Christian Boltz wrote:
> > the dovecot/auth profile needs access to
> > /run/dovecot/anvil-auth-penalty and
> > /var/spool/postfix/private/auth.
> > 
> > The dovecot/log profile needs the attach_disconnected flag.
> > 
> > Refences:
> > https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131
> > 
> > 
> > I propose this patch for trunk, 2.10 and 2.9.
> Acked for all three.
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
> > BTW: Does it make sense to do the /{var/,}run/ dance forever, or
> > should we just use /run/ for new additions nowadays? (The log from
> > the bugreport contained just /run/.)
> I'm starting to think it's time to just use /run/. I'm always
> reluctant to remove permissions from profiles but this transition
> feels pretty well handled by now.
> Maybe we should pick e.g. 2.12 or 3.0 or whatever as a release to
> remove all the /{var/,}run/ alternations and clean them all in one
> quick sed. :)

I'm also not a big fan of removing permissions from a profile, so I'm not 
sure if we should drop the existing /{var/,}run/ rules.

Also, the needed path depends on which directory gets used by an 
application. IIRC I've seen a /var/run/ log event not too long ago, but 
don't remember which application it was.

Profile additions are a different topic. I'm happy to declare this patch 
the last one that added a /{var/,}run/ rule, and to say that future 
patches should just use /run/ if the log event was about /run/. 
This has some advantages over dropping the /{var/,}run/ alternation:
- it makes problems less harmful ("not added" vs "removed / regression")
- nevertheless, we'll find out if someone still needs the /var/run/ rules
  (but only things covered by /run/-only rules)


Christian Boltz
[Glaskugel?] Ich habe früher Aufsicht im Rechnerpool an der Uni gemacht.
Irgendwie hat es die User beeindruckt, wenn ich Ihnen (ohne den Monitor
einsehen zu können und ohne dass die User etwas gesagt hätten) erklärt
habe, dass Word abstürzt, wenn man erst die Diskette entfernt und dann
Word schließt. Das Laufwerksknurpsgeräusch und der Gesichtsausdruck der
User war eindeutig genug... [Antje M. Bendrich in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161227/2368b70e/attachment.pgp>

More information about the AppArmor mailing list