Hello,
dovecot-lda needs to read and write /tmp/dovecot.lda.*.
It also needs to be able to execute sendmail to send sieve vacation
mails.
For now, I'm using a child profile for sendmail to avoid introducing a
new profile with possible regressions. This child profile is based on
the usr.sbin.sendmail profile in extras and should cover both postfix'
and sendmail's sendmail.
I also mixed in some bits that were needed for (postfix) sendmail on my
servers, and dropped some rules that were obsolete (directory rules not
ending with a /) or covered by an abstraction.
In the future, we might want to provide a stand-alone profile for
sendmail (based on this child profile) and change the rule in the
dovecot-lda profile to Px.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=954959
https://bugzilla.opensuse.org/show_bug.cgi?id=954958
I propose this patch for trunk, 2.10 and 2.9.
[ profiles-dovecot-lda.diff ]
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2014-09-10 22:00:36.616976000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2016-01-06 14:16:52.943206901 +0100
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------
#
-# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2013-2016 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -24,10 +24,65 @@
/etc/dovecot/** r,
/proc/*/mounts r,
+ owner /tmp/dovecot.lda.* rw,
/{var/,}run/dovecot/mounts r,
/usr/bin/doveconf mrix,
/usr/lib/dovecot/dovecot-lda mrix,
+ /usr/sbin/sendmail Cx,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.dovecot-lda>
+
+
+ profile /usr/sbin/sendmail flags=(attach_disconnected) {
+ # this profile is based on the usr.sbin.sendmail profile in extras
+ # and should support both postfix' and sendmail's sendmail binary
+
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+ #include <abstractions/postfix-common>
+
+ capability sys_ptrace,
+
+ /etc/aliases rw, # newaliases is a symlink to sendmail, so it's
+ /etc/aliases.db rw, # actually the same binary
+ /etc/fstab r,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ /etc/mail/* r,
+ /etc/mail/statistics rw,
+ /etc/mtab r,
+ /etc/postfix/aliases r,
+ /etc/postfix/aliases.db rw, # newaliases again
+ /etc/sendmail.cf r,
+ /etc/sendmail.cw r,
+ /etc/shells r,
+ /proc/loadavg r,
+ /proc/net/if_inet6 r,
+ /root/.forward r,
+ /root/dead.letter w,
+ /usr/bin/procmail Px,
+ /usr/lib/postfix/master Px,
+ /usr/lib/postfix/showq Px,
+ /usr/lib/postfix/smtpd Px,
+ /usr/sbin/postalias Px,
+ /usr/sbin/postdrop Px,
+ /usr/sbin/postfix Px,
+ /usr/sbin/postqueue Px,
+ /usr/sbin/sendmail mrix,
+ /usr/sbin/sendmail.postfix mrix,
+ /usr/sbin/sendmail.sendmail mrix,
+ /{var/,}run/sendmail.pid rwl,
+ /{var/,}run/sm-client.pid rwl,
+ /{var/,}run/utmp rw,
+ /var/spool/clientmqueue/* rwl,
+ /var/spool/mail/* rwl,
+ /var/spool/mqueue/* rwl,
+ /var/spool/postfix/maildrop/* rwl,
+ /var/spool/postfix/public/pickup w,
+ /var/spool/postfix/public/qmgr w,
+ /var/spool/postfix/public/showq w,
+ }
}
Regards,
Christian Boltz
--
<coolo> ancor: oh, sorry. you can't know yet: coolo is always right
[from #opensuse-project]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160106/ff6dc8b7/attachment.pgp>