[apparmor] [patch] dovecot profiles
John Johansen
john.johansen at canonical.com
Fri Aug 19 21:33:39 UTC 2011
On 08/19/2011 09:10 AM, John Johansen wrote:
> On 08/19/2011 03:57 AM, Christian Boltz wrote:
>> Hello,
>>
>> I just remembered there's a dovecot profile patch in
>> openSUSE:11.4:Update:Text that has not made it into the Factory package
>> yet. I just updated it to match trunk.
>>
>> I hope it's not too late to include it in 2.7 beta ;-)
>>
>>
> I didn't get to creating the release last night so your good
>
>> Changes:
>>
>> Dovecot profile update:
>> - allow /var/spool/mail, not only the /var/mail symlink
>> - allow @{HOME}/Mail/
>> - allow capability fsetid, read access to /etc/lsb-release and
>> SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
>>
>> References:
>> - dovecot: Added support for /var/spool/mail (bnc#691072)
>> - Updated dovecot profile (bnc#681267).
>>
>> Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-
>> dovecot
>> updated to match trunk by Christian Boltz <apparmor at cboltz.de>
>>
>>
>> Regards,
>>
>> Christian Boltz
>> -- <Ohmmmmm> Heiliger St.Tux öffne mir die Augen, welche durch jahrelangen Missbrauch von KleinSoftFenster 3.1 - XP mit Fehlermeldungen zuge- pflastert wurden, damit ich sehend werde für die Wunder des Reiches das da heißt LINUX.</Ohmmmmm> (Heike Hautz in dcoulm)
>>
>>
>> apparmor-profiles-dovecot-updated
>>
>>
>> Dovecot profile update:
>> - allow /var/spool/mail, not only the /var/mail symlink
>> - allow @{HOME}/Mail/
>> - allow capability fsetid, read access to /etc/lsb-release and
>> SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
>>
>> References:
>> - dovecot: Added support for /var/spool/mail (bnc#691072)
>> - Updated dovecot profile (bnc#681267).
>>
>> Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
>> updated to match trunk by Christian Boltz <apparmor at cboltz.de>
>>
>>
>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.deliver'
>> --- profiles/apparmor.d/usr.lib.dovecot.deliver 2010-08-05 19:00:02 +0000
>> +++ profiles/apparmor.d/usr.lib.dovecot.deliver 2011-08-19 10:38:48 +0000
>> @@ -17,6 +17,7 @@
>> @{HOME}/mail/.imap/** klrw,
>> /usr/lib/dovecot/deliver mr,
>> /var/mail/* klrw,
>> + /var/spool/mail/* klrw,
>>
>> # Site-specific additions and overrides. See local/README for details.
>> #include <local/usr.lib.dovecot.deliver>
>>
>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
>> --- profiles/apparmor.d/usr.lib.dovecot.imap 2010-08-05 19:00:02 +0000
>> +++ profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-19 10:39:44 +0000
>> @@ -11,11 +11,15 @@
>> @{HOME} r,
>> @{HOME}/Maildir/ rw,
>> @{HOME}/Maildir/** klrw,
>> + @{HOME}/Mail/ rw,
>> + @{HOME}/Mail/* klrw,
>> + @{HOME}/Mail/.imap/** klrw,
>> @{HOME}/mail/ rw,
>> @{HOME}/mail/* klrw,
>> @{HOME}/mail/.imap/** klrw,
>> /usr/lib/dovecot/imap mr,
>> /var/mail/* klrw,
>> + /var/spool/mail/* klrw,
>>
>> # Site-specific additions and overrides. See local/README for details.
>> #include <local/usr.lib.dovecot.imap>
>>
>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3'
>> --- profiles/apparmor.d/usr.lib.dovecot.pop3 2010-08-05 19:00:02 +0000
>> +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-19 10:37:59 +0000
>> @@ -9,6 +9,7 @@
>> capability setuid,
>>
>> /var/mail/* klrw,
>> + /var/spool/mail/* klrw,
>> @{HOME} r,
>> @{HOME}/mail/* klrw,
>> @{HOME}/mail/.imap/** klrw,
>>
>> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
>> --- profiles/apparmor.d/usr.sbin.dovecot 2011-07-14 12:57:57 +0000
>> +++ profiles/apparmor.d/usr.sbin.dovecot 2011-08-19 10:44:14 +0000
>> @@ -13,9 +13,12 @@
>> capability setgid,
>> capability setuid,
>> capability sys_chroot,
>> + capability fsetid,
>>
>> /etc/dovecot/** r,
>> /etc/mtab r,
>> + /etc/lsb-release r,
>> + /etc/SuSE-release r,
>> /usr/lib/dovecot/dovecot-auth Pxmr,
>> /usr/lib/dovecot/imap Pxmr,
>> /usr/lib/dovecot/imap-login Pxmr,
>> @@ -26,10 +29,10 @@
>> /usr/lib/dovecot/managesieve-login Pxmr,
>> /usr/lib/dovecot/ssl-build-param ixr,
>> /usr/sbin/dovecot mr,
>> - /var/lib/dovecot/ w,
>> - /var/lib/dovecot/* krw,
>> - /{,var/}run/dovecot/ rw,
>> - /{,var/}run/dovecot/** rw,
>> + /var/lib/dovecot/ wl,
>> + /var/lib/dovecot/* krwl,
>> + /{,var/}run/dovecot/ rwl,
>> + /{,var/}run/dovecot/** rwl,
>>
> I'm not to found of adding l here what/where is it linking too?
>
Christian, can you provide some more information about why it needs the link permissions and the capability
More information about the AppArmor
mailing list