[apparmor] [patch] Add missing permissions to dovecot profiles
Seth Arnold
seth.arnold at canonical.com
Mon Oct 3 22:49:11 UTC 2016
On Mon, Oct 03, 2016 at 10:07:17PM +0200, Christian Boltz wrote:
> Hello,
>
> $subject.
>
> - dovecot/auth: allow to read stats-user
> - dovecot/config: allow to read /usr/share/dovecot/**
> - dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
> /usr/share/dovecot/**
>
> These things were reported by Félix Sipma in Debian Bug#835826
> (with some help from sarnold on IRC)
>
> References: https://bugs.debian.org/835826
>
>
> Note: The bugreport says that the dovecot/lmtp profile also needs
> @{HOME}/.dovecot.svbin r,
> added, bug http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage says that
> sieve uses the .svbin extension for all sieve scripts. I'm unsure if
> allowing one specific file makes sense, so let's get the easy things
> in now, and do a follow-up patch once this is clarified.
>
>
> I propose this patch for trunk, 2.10 and 2.9.
>
>
>
> [ dovecot-profiles-deb835826.diff ]
Acked for all three, thanks.
Acked-by: Seth Arnold <seth.arnold at canonical.com>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
> --- profiles/apparmor.d/usr.lib.dovecot.auth 2016-04-06 22:53:06 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.auth 2016-10-03 19:35:41 +0000
> @@ -38,7 +38,7 @@
> /var/tmp/smtp_* rw,
>
> /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
> - /{var/,}run/dovecot/stats-user w,
> + /{var/,}run/dovecot/stats-user rw,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.lib.dovecot.auth>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.config'
> --- profiles/apparmor.d/usr.lib.dovecot.config 2014-06-27 19:14:53 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.config 2016-10-03 19:36:06 +0000
> @@ -23,6 +23,7 @@
> /usr/bin/doveconf rix,
> /usr/lib/dovecot/config mr,
> /usr/lib/dovecot/managesieve Px,
> + /usr/share/dovecot/** r,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.lib.dovecot.config>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> --- profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-03 19:39:38 +0000
> @@ -25,7 +25,14 @@
> @{DOVECOT_MAILSTORE}/** rwkl,
>
> @{HOME} r, # ???
> - /usr/lib/dovecot/imap mr,
> +
> + /etc/dovecot/dovecot.conf r,
> + /etc/dovecot/conf.d/ r,
> + /etc/dovecot/conf.d/** r,
> +
> + /usr/bin/doveconf rix,
> + /usr/lib/dovecot/imap mrix,
> + /usr/share/dovecot/** r,
> /{,var/}run/dovecot/auth-master rw,
> /{,var/}run/dovecot/mounts r,
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161003/5932788c/attachment.pgp>
More information about the AppArmor
mailing list