[apparmor] [patch] dovecot - read access for /proc/*/mounts
Christian Boltz
apparmor at cboltz.de
Mon Oct 10 17:31:07 UTC 2011
Hello,
Tim Edwards reported the following audit.log sniplet on the opensuse-
factory mailinglist:
Oct 10 12:48:24 localhost kernel: [1375671.879183] type=1400
audit(1318243704.530:53): apparmor="DENIED" operation="open"
parent=21582 profile="/usr/sbin/dovecot" name="/proc/21657/mounts"
pid=21657 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
Therefore I propose the following profile patch to allow read access for
/proc/*/mounts in the dovecot profile:
=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot 2011-08-26 23:12:10 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot 2011-10-10 17:24:57 +0000
@@ -19,6 +19,7 @@
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
+ @{PROC}/[0-9]*/mounts r,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
Gruß
Christian Boltz
--
Und früher waren die Winter nicht so kalt wie heute. Der 10er-Turm im
Schwimmbad war viel niedriger. Aber ich hatte nachts oft Rückenschmerzen
vom vielen Geldsäcke-aus-dem-Fenster-werfen. Gute alte Zeit.
[Ratti in suse-linux]
More information about the AppArmor
mailing list