Hello, this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE}) and replaces the mail storage location in various dovecot-related profiles with this variable.
It also adds nice copyright headers (I hope I got the bzr log right ;-) === added file 'profiles/apparmor.d/tunables/dovecot' --- profiles/apparmor.d/tunables/dovecot 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/tunables/dovecot 2014-01-19 16:08:06 +0000 @@ -0,0 +1,20 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:ft=apparmor + +# @{DOVECOT_MAILSTORE} is a space-separated list of all directories +# where dovecot is allowed to store and read mails +# +# The default value is quite broad to avoid breaking existing setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory +# you use, and remove everything else. + +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/ + === modified file 'profiles/apparmor.d/usr.lib.dovecot.deliver' --- profiles/apparmor.d/usr.lib.dovecot.deliver 2012-01-06 16:34:44 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-19 16:08:30 +0000 @@ -1,6 +1,19 @@ -# Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmand...@gmail.com> +# Copyright (C) 2009-2012 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/deliver { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,20 +21,16 @@ capability setgid, capability setuid, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + # http://www.postfix.org/SASL_README.html#server_dovecot /etc/dovecot/dovecot.conf r, /etc/dovecot/{auth,conf}.d/*.conf r, - /etc/dovecot/dovecot-postfix.conf r, + /etc/dovecot/dovecot-postfix.conf r, # ??? - @{HOME} r, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, - @{HOME}/mail/ rw, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, + @{HOME} r, # ??? /usr/lib/dovecot/deliver mr, - /var/mail/* klrw, - /var/spool/mail/* klrw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.deliver> === modified file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-auth' --- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-01-02 23:34:38 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-19 16:12:08 +0000 @@ -1,6 +1,17 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2013 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> + /usr/lib/dovecot/dovecot-auth { #include <abstractions/authentication> #include <abstractions/base> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' --- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26 23:12:10 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-19 16:08:30 +0000 @@ -1,6 +1,18 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/imap { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,18 +20,11 @@ capability setgid, capability setuid, - @{HOME} r, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, - @{HOME}/Mail/ rw, - @{HOME}/Mail/* klrw, - @{HOME}/Mail/.imap/** klrw, - @{HOME}/mail/ rw, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? /usr/lib/dovecot/imap mr, - /var/mail/* klrw, - /var/spool/mail/* klrw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.imap> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login' --- profiles/apparmor.d/usr.lib.dovecot.imap-login 2012-04-05 21:51:17 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-19 16:08:30 +0000 @@ -1,4 +1,14 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/imap-login { === modified file 'profiles/apparmor.d/usr.lib.dovecot.managesieve-login' --- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2011-07-14 12:57:57 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-19 16:08:30 +0000 @@ -1,4 +1,15 @@ -# Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com> +# ------------------------------------------------------------------ +# +# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmand...@gmail.com> +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/managesieve-login { === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3' --- profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-26 23:12:10 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-19 16:08:30 +0000 @@ -1,6 +1,18 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/pop3 { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,13 +20,10 @@ capability setgid, capability setuid, - /var/mail/* klrw, - /var/spool/mail/* klrw, - @{HOME} r, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? /usr/lib/dovecot/pop3 mr, # Site-specific additions and overrides. See local/README for details. === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3-login' --- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2011-07-14 12:57:57 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-19 16:08:30 +0000 @@ -1,6 +1,17 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> + /usr/lib/dovecot/pop3-login { #include <abstractions/base> #include <abstractions/nameservice> Regards, Christian Boltz -- [SuSE 8.2] Auch die Paketverwaltung via YaST2 ist endlich einigermaßen brauchbar: Du kannst ein Paket auf ein permanentes "Tabu" setzen und - jetzt kommt die Überraschung - er überschreibt es _wirklich_ nicht! ;-) [René Matthäi in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor