[apparmor] [patch] update some Postfix profiles
Seth Arnold
seth.arnold at canonical.com
Thu Aug 17 22:55:28 UTC 2017
On Fri, Aug 18, 2017 at 12:10:28AM +0200, Christian Boltz wrote:
> Hello,
>
> $subject.
> - change abstractions/postfix-common to allow /etc/postfix/*.db k
> - add several permissions to postfix/error, postfix/lmtp and postfix/pipe
> - remove superfluous abstractions/kerberosclient from all postfix
> profiles - it's included via abstractions/nameservice
>
> I propose this patch for 2.9..trunk.
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked for everything
Thanks
>
> Note: the postfix/master, postfix/smtpd and postfix/smtp profiles also
> need updates, but I don't have them ready yet.
>
>
>
> [ postfix-profiles.diff ]
>
> === modified file 'profiles/apparmor.d/abstractions/postfix-common'
> --- profiles/apparmor.d/abstractions/postfix-common 2015-04-16 06:32:50 +0000
> +++ profiles/apparmor.d/abstractions/postfix-common 2017-08-17 21:28:18 +0000
> @@ -22,7 +22,7 @@
>
> /etc/mailname r,
> /etc/postfix/*.cf r,
> - /etc/postfix/*.db r,
> + /etc/postfix/*.db rk,
> @{PROC}/net/if_inet6 r,
> /usr/lib/postfix/*.so mr,
> /usr/lib{,32,64}/sasl2/* mr,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.anvil'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.anvil 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.anvil 2017-08-17 21:37:53 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/anvil {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> capability setgid,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.bounce'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.bounce 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.bounce 2017-08-17 21:37:58 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/bounce {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> capability setgid,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup 2017-08-17 21:38:21 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/cleanup {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> capability net_bind_service,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.error'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.error 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.error 2017-08-17 21:37:02 +0000
> @@ -1,6 +1,7 @@
> # ------------------------------------------------------------------
> #
> # Copyright (C) 2002-2006 Novell/SUSE
> +# Copyright (C) 2017 Christian Boltz
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -13,8 +14,13 @@
> /usr/lib/postfix/error {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> - /usr/lib/postfix/error rmix,
> + @{PROC}/sys/kernel/ngroups_max r,
> + /usr/lib/postfix/error mrix,
> + owner /var/spool/postfix/active/* rwk,
> + /var/spool/postfix/pid/unix.error rwk,
> + /var/spool/postfix/pid/unix.retry rwk,
> + owner /var/spool/postfix/private/defer w,
> +
> }
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.flush'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.flush 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.flush 2017-08-17 21:38:30 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/flush {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> capability setgid,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp 2017-08-17 21:37:41 +0000
> @@ -1,6 +1,7 @@
> # ------------------------------------------------------------------
> #
> # Copyright (C) 2002-2006 Novell/SUSE
> +# Copyright (C) 2017 Christian Boltz
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -13,8 +14,10 @@
> /usr/lib/postfix/lmtp {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> - /usr/lib/postfix/lmtp rmix,
> + /usr/lib/postfix/lmtp mrix,
> + /var/spool/postfix/active/* rwk,
> + /var/spool/postfix/pid/unix.lmtp rwk,
> +
> }
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.local'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.local 2016-12-07 19:00:06 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.local 2017-08-17 21:38:39 +0000
> @@ -14,7 +14,6 @@
> #include <abstractions/base>
> #include <abstractions/bash>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/user-mail>
> #include <abstractions/postfix-common>
>
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.master'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.master 2015-06-25 11:16:49 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.master 2017-08-17 21:38:42 +0000
> @@ -12,7 +12,6 @@
>
> /usr/lib/postfix/master {
> #include <abstractions/base>
> - #include <abstractions/kerberosclient>
> #include <abstractions/nameservice>
> #include <abstractions/postfix-common>
>
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr 2017-08-17 21:38:44 +0000
> @@ -12,7 +12,6 @@
>
> /usr/lib/postfix/nqmgr {
> #include <abstractions/base>
> - #include <abstractions/kerberosclient>
> #include <abstractions/nameservice>
> #include <abstractions/postfix-common>
>
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.pickup'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.pickup 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.pickup 2017-08-17 21:38:49 +0000
> @@ -12,7 +12,6 @@
>
> /usr/lib/postfix/pickup {
> #include <abstractions/base>
> - #include <abstractions/kerberosclient>
> #include <abstractions/nameservice>
> #include <abstractions/postfix-common>
>
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.pipe'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.pipe 2010-12-20 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.pipe 2017-08-17 22:00:16 +0000
> @@ -1,6 +1,7 @@
> # ------------------------------------------------------------------
> #
> # Copyright (C) 2006 Novell/SUSE
> +# Copyright (C) 2017 Christian Boltz
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -12,6 +13,14 @@
>
> /usr/lib/postfix/pipe {
> #include <abstractions/base>
> + #include <abstractions/nameservice>
> + #include <abstractions/postfix-common>
>
> - /usr/lib/postfix/pipe rmix,
> + /usr/lib/postfix/pipe mrix,
> + /var/spool/postfix/active/* rwk,
> + /var/spool/postfix/private/bounce w,
> + /var/spool/postfix/private/defer w,
> + /var/spool/postfix/private/rewrite w,
> + /var/spool/postfix/private/trace w,
> +
> }
>
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr 2017-08-17 21:38:57 +0000
> @@ -12,7 +12,6 @@
>
> /usr/lib/postfix/qmgr {
> #include <abstractions/base>
> - #include <abstractions/kerberosclient>
> #include <abstractions/nameservice>
> #include <abstractions/postfix-common>
>
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd 2017-08-17 21:38:59 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/qmqpd {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> /usr/lib/postfix/qmqpd rmix,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.showq'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.showq 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.showq 2017-08-17 21:39:03 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/showq {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> /usr/lib/postfix/showq rmix,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.smtp'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.smtp 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.smtp 2017-08-17 21:39:06 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/smtp {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
> #include <abstractions/openssl>
>
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd 2017-08-17 21:39:08 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/smtpd {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
> #include <abstractions/openssl>
>
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.spawn'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.spawn 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.spawn 2017-08-17 21:39:10 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/spawn {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> /usr/lib/postfix/spawn rmix,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite 2017-08-17 21:39:17 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/trivial-rewrite {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> /usr/lib/postfix/trivial-rewrite rmix,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.verify'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.verify 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.verify 2017-08-17 21:39:22 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/verify {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> /usr/lib/postfix/verify rmix,
>
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.virtual'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.virtual 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.virtual 2017-08-17 21:39:24 +0000
> @@ -13,7 +13,6 @@
> /usr/lib/postfix/virtual {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> - #include <abstractions/kerberosclient>
> #include <abstractions/postfix-common>
>
> capability setgid,
>
>
>
>
> Regards,
>
> Christian Boltz
> --
> Why don't you go troll the *buntu fora for a while?
> [David Haller in opensuse-factory]
Well trolled :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170817/bb43a3b4/attachment-0001.pgp>
More information about the AppArmor
mailing list