[apparmor] [patch] Add missing permissions to dovecot profiles

Seth Arnold seth.arnold at canonical.com
Mon Oct 3 22:49:11 UTC 2016 

On Mon, Oct 03, 2016 at 10:07:17PM +0200, Christian Boltz wrote:
> Hello,
> 
> $subject.
> 
> - dovecot/auth: allow to read stats-user
> - dovecot/config: allow to read /usr/share/dovecot/**
> - dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
>   /usr/share/dovecot/**
> 
> These things were reported by Félix Sipma in Debian Bug#835826
> (with some help from sarnold on IRC)
> 
> References: https://bugs.debian.org/835826
> 
> 
> Note: The bugreport says that the dovecot/lmtp profile also needs
>   @{HOME}/.dovecot.svbin r,
> added, bug http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage says that
> sieve uses the .svbin extension for all sieve scripts. I'm unsure if
> allowing one specific file makes sense, so let's get the easy things
> in now, and do a follow-up patch once this is clarified.
> 
> 
> I propose this patch for trunk, 2.10 and 2.9.
> 
> 
> 
> [ dovecot-profiles-deb835826.diff ]

Acked for all three, thanks.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

> 
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
> --- profiles/apparmor.d/usr.lib.dovecot.auth    2016-04-06 22:53:06 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.auth    2016-10-03 19:35:41 +0000
> @@ -38,7 +38,7 @@
>    /var/tmp/smtp_* rw,
>  
>    /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
> -  /{var/,}run/dovecot/stats-user w,
> +  /{var/,}run/dovecot/stats-user rw,
>  
>    # Site-specific additions and overrides. See local/README for details.
>    #include <local/usr.lib.dovecot.auth>
> 
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.config'
> --- profiles/apparmor.d/usr.lib.dovecot.config  2014-06-27 19:14:53 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.config  2016-10-03 19:36:06 +0000
> @@ -23,6 +23,7 @@
>    /usr/bin/doveconf rix,
>    /usr/lib/dovecot/config mr,
>    /usr/lib/dovecot/managesieve Px,
> +  /usr/share/dovecot/** r,
>  
>    # Site-specific additions and overrides. See local/README for details.
>    #include <local/usr.lib.dovecot.config>
> 
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> --- profiles/apparmor.d/usr.lib.dovecot.imap    2015-09-03 16:27:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.imap    2016-10-03 19:39:38 +0000
> @@ -25,7 +25,14 @@
>    @{DOVECOT_MAILSTORE}/** rwkl,
>  
>    @{HOME} r, # ???
> -  /usr/lib/dovecot/imap mr,
> +
> +  /etc/dovecot/dovecot.conf r,
> +  /etc/dovecot/conf.d/ r,
> +  /etc/dovecot/conf.d/** r,
> +
> +  /usr/bin/doveconf rix,
> +  /usr/lib/dovecot/imap mrix,
> +  /usr/share/dovecot/** r,
>    /{,var/}run/dovecot/auth-master rw,
>    /{,var/}run/dovecot/mounts r,
>  
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161003/5932788c/attachment.pgp>

More information about the AppArmor mailing list