[apparmor] [patch] dovecot - read access for /proc/*/mounts
John Johansen
john.johansen at canonical.com
Wed Oct 12 06:32:20 UTC 2011
On 10/10/2011 10:31 AM, Christian Boltz wrote:
> Hello,
>
> Tim Edwards reported the following audit.log sniplet on the opensuse-
> factory mailinglist:
>
> Oct 10 12:48:24 localhost kernel: [1375671.879183] type=1400
> audit(1318243704.530:53): apparmor="DENIED" operation="open"
> parent=21582 profile="/usr/sbin/dovecot" name="/proc/21657/mounts"
> pid=21657 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0
> ouid=0
>
> Therefore I propose the following profile patch to allow read access for
> /proc/*/mounts in the dovecot profile:
>
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot 2011-08-26 23:12:10 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot 2011-10-10 17:24:57 +0000
> @@ -19,6 +19,7 @@
> /etc/mtab r,
> /etc/lsb-release r,
> /etc/SuSE-release r,
> + @{PROC}/[0-9]*/mounts r,
> /usr/lib/dovecot/dovecot-auth Pxmr,
> /usr/lib/dovecot/imap Pxmr,
> /usr/lib/dovecot/imap-login Pxmr,
>
>
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the AppArmor
mailing list