On 01/26/2014 03:07 PM, Christian Boltz wrote: > Hello, > > after testing the dovecot profiles on a new server, I noticed > /usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more nameservice- > related permissions. > > Therefore I propose to include abstractions/nameservice instead of > adding more and more files. > > So I like the idea in general, but wow the abstractions/nameservice is expanding the permissions quite a bit. It makes me hesitant, is this expansion what we want, or perhaps do we want to break up the nameservice abstraction more?
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.dict' > --- profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-26 21:46:51 > +++ profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-26 22:36:59 > @@ -14,6 +14,7 @@ > /usr/lib/dovecot/dict { > #include <abstractions/base> > #include <abstractions/mysql> > + #include <abstractions/nameservice> > > capability setgid, > capability setuid, > @@ -22,8 +23,6 @@ > > /etc/dovecot/dovecot-database.conf.ext r, > /etc/dovecot/dovecot-dict-sql.conf.ext r, > - /etc/nsswitch.conf r, > - /etc/services r, > /usr/lib/dovecot/dict mr, > > # Site-specific additions and overrides. See local/README for details. > > === modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp' > --- profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-26 21:46:51 > +++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-26 22:37:10 > @@ -14,6 +14,7 @@ > > /usr/lib/dovecot/lmtp { > #include <abstractions/base> > + #include <abstractions/nameservice> > > deny capability block_suspend, > > > @@ -24,7 +25,6 @@ > @{DOVECOT_MAILSTORE}/ rw, > @{DOVECOT_MAILSTORE}/** rwkl, > > - /etc/resolv.conf r, > /proc/*/mounts r, > /tmp/dovecot.lmtp.* rw, > /usr/lib/dovecot/lmtp mr, > > > > Regards, > > Christian Boltz > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor