[apparmor] [patch] update some Postfix profiles
Christian Boltz
apparmor at cboltz.de
Thu Aug 17 22:10:28 UTC 2017
Hello,
$subject.
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
profiles - it's included via abstractions/nameservice
I propose this patch for 2.9..trunk.
Note: the postfix/master, postfix/smtpd and postfix/smtp profiles also
need updates, but I don't have them ready yet.
[ postfix-profiles.diff ]
=== modified file 'profiles/apparmor.d/abstractions/postfix-common'
--- profiles/apparmor.d/abstractions/postfix-common 2015-04-16 06:32:50 +0000
+++ profiles/apparmor.d/abstractions/postfix-common 2017-08-17 21:28:18 +0000
@@ -22,7 +22,7 @@
/etc/mailname r,
/etc/postfix/*.cf r,
- /etc/postfix/*.db r,
+ /etc/postfix/*.db rk,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
/usr/lib{,32,64}/sasl2/* mr,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.anvil'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.anvil 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.anvil 2017-08-17 21:37:53 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/anvil {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
capability setgid,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.bounce'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.bounce 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.bounce 2017-08-17 21:37:58 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/bounce {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
capability setgid,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup 2017-08-17 21:38:21 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/cleanup {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
capability net_bind_service,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.error'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.error 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.error 2017-08-17 21:37:02 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2017 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,13 @@
/usr/lib/postfix/error {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
- /usr/lib/postfix/error rmix,
+ @{PROC}/sys/kernel/ngroups_max r,
+ /usr/lib/postfix/error mrix,
+ owner /var/spool/postfix/active/* rwk,
+ /var/spool/postfix/pid/unix.error rwk,
+ /var/spool/postfix/pid/unix.retry rwk,
+ owner /var/spool/postfix/private/defer w,
+
}
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.flush'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.flush 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.flush 2017-08-17 21:38:30 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/flush {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
capability setgid,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp 2017-08-17 21:37:41 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2017 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,10 @@
/usr/lib/postfix/lmtp {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
- /usr/lib/postfix/lmtp rmix,
+ /usr/lib/postfix/lmtp mrix,
+ /var/spool/postfix/active/* rwk,
+ /var/spool/postfix/pid/unix.lmtp rwk,
+
}
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.local'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.local 2016-12-07 19:00:06 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.local 2017-08-17 21:38:39 +0000
@@ -14,7 +14,6 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/user-mail>
#include <abstractions/postfix-common>
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.master'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.master 2015-06-25 11:16:49 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.master 2017-08-17 21:38:42 +0000
@@ -12,7 +12,6 @@
/usr/lib/postfix/master {
#include <abstractions/base>
- #include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr 2017-08-17 21:38:44 +0000
@@ -12,7 +12,6 @@
/usr/lib/postfix/nqmgr {
#include <abstractions/base>
- #include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.pickup'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.pickup 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.pickup 2017-08-17 21:38:49 +0000
@@ -12,7 +12,6 @@
/usr/lib/postfix/pickup {
#include <abstractions/base>
- #include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.pipe'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.pipe 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.pipe 2017-08-17 22:00:16 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2006 Novell/SUSE
+# Copyright (C) 2017 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -12,6 +13,14 @@
/usr/lib/postfix/pipe {
#include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/postfix-common>
- /usr/lib/postfix/pipe rmix,
+ /usr/lib/postfix/pipe mrix,
+ /var/spool/postfix/active/* rwk,
+ /var/spool/postfix/private/bounce w,
+ /var/spool/postfix/private/defer w,
+ /var/spool/postfix/private/rewrite w,
+ /var/spool/postfix/private/trace w,
+
}
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr 2017-08-17 21:38:57 +0000
@@ -12,7 +12,6 @@
/usr/lib/postfix/qmgr {
#include <abstractions/base>
- #include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd 2017-08-17 21:38:59 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/qmqpd {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
/usr/lib/postfix/qmqpd rmix,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.showq'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.showq 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.showq 2017-08-17 21:39:03 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/showq {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
/usr/lib/postfix/showq rmix,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.smtp'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.smtp 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.smtp 2017-08-17 21:39:06 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/smtp {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
#include <abstractions/openssl>
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd 2017-08-17 21:39:08 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/smtpd {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
#include <abstractions/openssl>
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.spawn'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.spawn 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.spawn 2017-08-17 21:39:10 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/spawn {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
/usr/lib/postfix/spawn rmix,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite 2017-08-17 21:39:17 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/trivial-rewrite {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
/usr/lib/postfix/trivial-rewrite rmix,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.verify'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.verify 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.verify 2017-08-17 21:39:22 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/verify {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
/usr/lib/postfix/verify rmix,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.virtual'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.virtual 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.virtual 2017-08-17 21:39:24 +0000
@@ -13,7 +13,6 @@
/usr/lib/postfix/virtual {
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/kerberosclient>
#include <abstractions/postfix-common>
capability setgid,
Regards,
Christian Boltz
--
Why don't you go troll the *buntu fora for a while?
[David Haller in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170818/ccbf696d/attachment.pgp>
More information about the AppArmor
mailing list