On Wed, Jan 06, 2016 at 02:26:49PM +0100, Christian Boltz wrote:
> Hello,
>
> dovecot-lda needs to read and write /tmp/dovecot.lda.*.
>
> It also needs to be able to execute sendmail to send sieve vacation
> mails.
>
> For now, I'm using a child profile for sendmail to avoid introducing a
> new profile with possible regressions. This child profile is based on
> the usr.sbin.sendmail profile in extras and should cover both postfix'
> and sendmail's sendmail.
> I also mixed in some bits that were needed for (postfix) sendmail on my
> servers, and dropped some rules that were obsolete (directory rules not
> ending with a /) or covered by an abstraction.
>
> In the future, we might want to provide a stand-alone profile for
> sendmail (based on this child profile) and change the rule in the
> dovecot-lda profile to Px.
>
>
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=954959
> https://bugzilla.opensuse.org/show_bug.cgi?id=954958
>
>
> I propose this patch for trunk, 2.10 and 2.9.
>
>
> [ profiles-dovecot-lda.diff ]
The contents of the profile are fine but there's a _huge_ amount of
trailing spaces that are being added here.
Please strip all the trailing spaces before committing.
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked for all three branches
Thanks
> --- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2014-09-10 22:00:36.616976000 +0200
> +++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2016-01-06 14:16:52.943206901 +0100
> @@ -1,6 +1,6 @@
> # ------------------------------------------------------------------
> #
> -# Copyright (C) 2013 Christian Boltz
> +# Copyright (C) 2013-2016 Christian Boltz
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -24,10 +24,65 @@
>
> /etc/dovecot/** r,
> /proc/*/mounts r,
> + owner /tmp/dovecot.lda.* rw,
> /{var/,}run/dovecot/mounts r,
> /usr/bin/doveconf mrix,
> /usr/lib/dovecot/dovecot-lda mrix,
> + /usr/sbin/sendmail Cx,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.lib.dovecot.dovecot-lda>
> +
> +
> + profile /usr/sbin/sendmail flags=(attach_disconnected) {
> + # this profile is based on the usr.sbin.sendmail profile in extras
> + # and should support both postfix' and sendmail's sendmail binary
> +
> + #include <abstractions/base>
> + #include <abstractions/consoles>
> + #include <abstractions/nameservice>
> + #include <abstractions/user-tmp>
> + #include <abstractions/postfix-common>
> +
> + capability sys_ptrace,
> +
> + /etc/aliases rw, # newaliases is a symlink to sendmail, so it's
> + /etc/aliases.db rw, # actually the same binary
> + /etc/fstab r,
> + /etc/hosts.allow r,
> + /etc/hosts.deny r,
> + /etc/mail/* r,
> + /etc/mail/statistics rw,
> + /etc/mtab r,
> + /etc/postfix/aliases r,
> + /etc/postfix/aliases.db rw, # newaliases again
> + /etc/sendmail.cf r,
> + /etc/sendmail.cw r,
> + /etc/shells r,
> + /proc/loadavg r,
> + /proc/net/if_inet6 r,
> + /root/.forward r,
> + /root/dead.letter w,
> + /usr/bin/procmail Px,
> + /usr/lib/postfix/master Px,
> + /usr/lib/postfix/showq Px,
> + /usr/lib/postfix/smtpd Px,
> + /usr/sbin/postalias Px,
> + /usr/sbin/postdrop Px,
> + /usr/sbin/postfix Px,
> + /usr/sbin/postqueue Px,
> + /usr/sbin/sendmail mrix,
> + /usr/sbin/sendmail.postfix mrix,
> + /usr/sbin/sendmail.sendmail mrix,
> + /{var/,}run/sendmail.pid rwl,
> + /{var/,}run/sm-client.pid rwl,
> + /{var/,}run/utmp rw,
> + /var/spool/clientmqueue/* rwl,
> + /var/spool/mail/* rwl,
> + /var/spool/mqueue/* rwl,
> + /var/spool/postfix/maildrop/* rwl,
> + /var/spool/postfix/public/pickup w,
> + /var/spool/postfix/public/qmgr w,
> + /var/spool/postfix/public/showq w,
> + }
> }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160219/92834040/attachment.pgp>