Hello, this patch adds #include <abstractions/dovecot-common> to the usr.sbin.dovecot profile. Effectively this adds "deny capability block_suspend," which is the only missing part from https://bugs.launchpad.net/apparmor/+bug/1296667/
It also removes "capability setgid," (covered by abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of abstractions/base). === modified file 'profiles/apparmor.d/usr.sbin.dovecot' --- profiles/apparmor.d/usr.sbin.dovecot 2014-09-03 19:45:56 +0000 +++ profiles/apparmor.d/usr.sbin.dovecot 2014-12-03 21:39:41 +0000 @@ -15,6 +15,7 @@ /usr/sbin/dovecot { #include <abstractions/authentication> #include <abstractions/base> + #include <abstractions/dovecot-common> #include <abstractions/mysql> #include <abstractions/nameservice> #include <abstractions/ssl_certs> @@ -25,7 +26,6 @@ capability fsetid, capability kill, capability net_bind_service, - capability setgid, capability setuid, capability sys_chroot, @@ -34,7 +34,6 @@ /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, - @{PROC}/filesystems r, /usr/bin/doveconf rix, /usr/lib/dovecot/anvil Px, /usr/lib/dovecot/auth Px, Regards, Christian Boltz -- > > of course, now everybody will claim how bad it is to fix bugs which > > people rely on; > No, I wont claim that, in fact I would argue against keeping any bug > on which people relies on (known as "backwards compatibility") I should have excluded you from the list of everybody... [> Cristian RodrÃguez and (>>) Dominique Leuenberger in opensuse-factory] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor