Hello, Am Donnerstag, 23. Januar 2014 schrieb John Johansen: > On 01/19/2014 08:58 AM, Christian Boltz wrote: > > this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE}) > > and replaces the mail storage location in various dovecot-related > > profiles with this variable. > > > > It also adds nice copyright headers (I hope I got the bzr log right > > ;-) > a few comments inline > > > === added file 'profiles/apparmor.d/tunables/dovecot' > > --- profiles/apparmor.d/tunables/dovecot 1970-01-01 00:00:00 +0000 > > +++ profiles/apparmor.d/tunables/dovecot 2014-01-19 16:08:06 ... > > +# @{DOVECOT_MAILSTORE} is a space-separated list of all directories > > +# where dovecot is allowed to store and read mails > > +# > > +# The default value is quite broad to avoid breaking existing > > setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain the > > directory +# you use, and remove everything else. > > + > > +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ > > /var/vmail/ /var/mail/ /var/spool/mail/
> > === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' > > --- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26 23:12:10 > > +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-19 ... > > - @{HOME} r, > > - @{HOME}/Maildir/ rw, > > - @{HOME}/Maildir/** klrw, > > - @{HOME}/Mail/ rw, > > - @{HOME}/Mail/* klrw, > > - @{HOME}/Mail/.imap/** klrw, > > - @{HOME}/mail/ rw, > > - @{HOME}/mail/* klrw, > > - @{HOME}/mail/.imap/** klrw, > > + @{DOVECOT_MAILSTORE}/ rw, > > + @{DOVECOT_MAILSTORE}/** rwkl, > > so this is slightly wider perms than > > > - @{HOME}/{m,M}ail/* klrw, > > - @{HOME}/{m,M}ail/.imap/** klrw, > > is this what we want? The idea of @{DOVECOT_MAILSTORE} is to allow the directories that were allowed in the old profile, and getting all profiles in sync so that for example IMAP and POP3 allow access to the same directory. I know the list got quite long - but that's what you get from checking the current dovecot-related profiles. (Maybe also a location from a bugreport on bnc sneaked in, I'd have to check that ;-) I'd happily shorten the list to just /var/vmail/, but I'm sure users would kill me for doing it ;-) The perfect solution would be to auto-generate @{DOVECOT_MAILSTORE} from the dovecot config, but unfortunately that isn't as easy as it looks. (Proposals and scripts welcome ;-) > > + @{HOME} r, # ??? > > why the ???, not sure if this rule is required above, you'll find > > - @{HOME} r, I'm also not sure if it's required (that's why I added "???"), but wanted to keep it for backwards compability (there must be a reason why it's there ;-) (If you are sure we can remove it, this should be a separate patch titled "break the profile" or so ;-) > > /usr/lib/dovecot/imap mr, > > > > - /var/mail/* klrw, > > - /var/spool/mail/* klrw, > > again a slight widening of permissions Yes, see above. > > === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3' > > --- profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-26 23:12:10 > > +0000 +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-19 > > 16:08:30 +0000 @@ -1,6 +1,18 @@ ... > > - @{HOME} r, > > - @{HOME}/mail/* klrw, > > - @{HOME}/mail/.imap/** klrw, > > - @{HOME}/Maildir/ rw, > > - @{HOME}/Maildir/** klrw, > > + @{DOVECOT_MAILSTORE}/ rw, > > + @{DOVECOT_MAILSTORE}/** rwkl, > > + > > + @{HOME} r, # ??? > > again the change in allowed permissions again see above ;-) Regards, Christian Boltz -- >how to use the "-b " parameter ? You... type it in. [> Jun Hu and Jan Engelhardt in opensuse-packaging] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor