[apparmor] [patch] /usr/lib/dovecot/auth and mysql
John Johansen
john.johansen at canonical.com
Sun Feb 2 09:59:37 UTC 2014
On 01/26/2014 03:17 PM, Christian Boltz wrote:
> Hello,
>
> this patch is an interesting one - /usr/lib/dovecot/auth reads the mysql
> config files, which is not covered by abstractions/mysql.
>
> Now the interesting question is where we should add this.
>
> a) add it to abstractions/mysql "because it belongs to mysql" even if
> /usr/lib/dovecot/auth is the only one that needs it
>
> b) add it to usr.lib.dovecot.auth "because only /usr/lib/dovecot/auth
> is the only one that needs it"
>
> At the moment, I tend to b) to avoid superfluous permissions for other
> programs with abstractions/mysql, but I'd like to hear your opinions ;-)
>
>
I tend to agree, though I wonder why mysql doesn't need it
Acked-by: John Johansen <john.johansen at canonical.com>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
> --- profiles/apparmor.d/usr.lib.dovecot.auth 2014-01-26 21:46:51
> +++ profiles/apparmor.d/usr.lib.dovecot.auth 2014-01-26 22:36:47
> @@ -23,6 +23,10 @@
> capability setgid,
> capability setuid,
>
> + /etc/my.cnf r,
> + /etc/my.cnf.d/ r,
> + /etc/my.cnf.d/*.cnf r,
> +
> /etc/dovecot/dovecot-database.conf.ext r,
> /etc/dovecot/dovecot-sql.conf.ext r,
> /usr/lib/dovecot/auth mr,
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list