Update the postfix-common abstraction to cope with signal and unix socket mediation, update the access to the sasl library locations in a multiarch compliant way, and allow access to limited bits of the filesystem paths under which postfix chroots itself to (/var/spool/postfix/ on Ubuntu).
Nominated for trunk and 2.9. Signed-off-by: Steve Beattie <st...@nxnw.org> --- profiles/apparmor.d/abstractions/postfix-common | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) Index: b/profiles/apparmor.d/abstractions/postfix-common =================================================================== --- a/profiles/apparmor.d/abstractions/postfix-common +++ b/profiles/apparmor.d/abstractions/postfix-common @@ -1,6 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2015 Canonical, Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -14,11 +15,21 @@ capability setgid, capability sys_chroot, + # postfix's master can send us signals + signal receive peer=/usr/lib/postfix/master, + + unix (send, receive) peer=(label=/usr/lib/postfix/master), + + /etc/mailname r, /etc/postfix/*.cf r, /etc/postfix/*.db r, @{PROC}/net/if_inet6 r, /usr/lib/postfix/*.so mr, - /usr/lib64/sasl2/* mr, - /usr/lib64/sasl2/ r, - /usr/lib/sasl2/* mr, - /usr/lib/sasl2/ r, + /usr/lib{,32,64}/sasl2/* mr, + /usr/lib{,32,64}/sasl2/ r, + /usr/lib/@{multiarch}/sasl2/* mr, + /usr/lib/@{multiarch}/sasl2/ r, + + /var/spool/postfix/etc/* r, + /var/spool/postfix/lib/lib*.so* mr, + /var/spool/postfix/lib/@{multiarch}/lib*.so* mr, -- Steve Beattie <sbeat...@ubuntu.com> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor