[apparmor] [patch] update dovecot-lda profile

Christian Boltz apparmor at cboltz.de
Sun Apr 2 11:20:52 UTC 2017


dovecot-lda needs 
- the attach_disconnected flags
- read access to /usr/share/dovecot/protocols.d/
- rw for /run/dovecot/auth-userdb

References: https://bugs.launchpad.net/bugs/1650827

I propose this patch for 2.9, 2.10 and trunk.

[ dovecot-lda-lp1650827.diff ]

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-lda'
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda     2016-02-20 00:15:20 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda     2017-04-02 10:46:01 +0000
@@ -12,7 +12,7 @@
 #include <tunables/global>
 #include <tunables/dovecot>
-/usr/lib/dovecot/dovecot-lda {
+/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/dovecot-common>
@@ -26,9 +26,11 @@
   /proc/*/mounts r,
   owner /tmp/dovecot.lda.* rw,
   /{var/,}run/dovecot/mounts r,
+  /run/dovecot/auth-userdb rw,
   /usr/bin/doveconf mrix,
   /usr/lib/dovecot/dovecot-lda mrix,
   /usr/sbin/sendmail Cx,
+  /usr/share/dovecot/protocols.d/ r,
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.dovecot-lda>


Christian Boltz
vi-Befehle sind sogar relativ einfach zu merken. Wenn man einmal weiß,
was dw db de d) d( d} d{ dd d^ d$ d0 dG sowie cw und yw machen, dann
weiß man auch, was cb ce c) c( c} c{ cc c^ c$ c0 cG sowie yb ye y) y( y}
y{ yy y^ y$ y0 yG machen.                [Bernd Brodesser in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170402/013fb7a5/attachment.pgp>

More information about the AppArmor mailing list