Hello, dovecot-lda needs to read and write /tmp/dovecot.lda.*.
It also needs to be able to execute sendmail to send sieve vacation mails. For now, I'm using a child profile for sendmail to avoid introducing a new profile with possible regressions. This child profile is based on the usr.sbin.sendmail profile in extras and should cover both postfix' and sendmail's sendmail. I also mixed in some bits that were needed for (postfix) sendmail on my servers, and dropped some rules that were obsolete (directory rules not ending with a /) or covered by an abstraction. In the future, we might want to provide a stand-alone profile for sendmail (based on this child profile) and change the rule in the dovecot-lda profile to Px. References: https://bugzilla.opensuse.org/show_bug.cgi?id=954959 https://bugzilla.opensuse.org/show_bug.cgi?id=954958 I propose this patch for trunk, 2.10 and 2.9. [ profiles-dovecot-lda.diff ] --- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2014-09-10 22:00:36.616976000 +0200 +++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2016-01-06 14:16:52.943206901 +0100 @@ -1,6 +1,6 @@ # ------------------------------------------------------------------ # -# Copyright (C) 2013 Christian Boltz +# Copyright (C) 2013-2016 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -24,10 +24,65 @@ /etc/dovecot/** r, /proc/*/mounts r, + owner /tmp/dovecot.lda.* rw, /{var/,}run/dovecot/mounts r, /usr/bin/doveconf mrix, /usr/lib/dovecot/dovecot-lda mrix, + /usr/sbin/sendmail Cx, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.dovecot-lda> + + + profile /usr/sbin/sendmail flags=(attach_disconnected) { + # this profile is based on the usr.sbin.sendmail profile in extras + # and should support both postfix' and sendmail's sendmail binary + + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + #include <abstractions/postfix-common> + + capability sys_ptrace, + + /etc/aliases rw, # newaliases is a symlink to sendmail, so it's + /etc/aliases.db rw, # actually the same binary + /etc/fstab r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/mail/* r, + /etc/mail/statistics rw, + /etc/mtab r, + /etc/postfix/aliases r, + /etc/postfix/aliases.db rw, # newaliases again + /etc/sendmail.cf r, + /etc/sendmail.cw r, + /etc/shells r, + /proc/loadavg r, + /proc/net/if_inet6 r, + /root/.forward r, + /root/dead.letter w, + /usr/bin/procmail Px, + /usr/lib/postfix/master Px, + /usr/lib/postfix/showq Px, + /usr/lib/postfix/smtpd Px, + /usr/sbin/postalias Px, + /usr/sbin/postdrop Px, + /usr/sbin/postfix Px, + /usr/sbin/postqueue Px, + /usr/sbin/sendmail mrix, + /usr/sbin/sendmail.postfix mrix, + /usr/sbin/sendmail.sendmail mrix, + /{var/,}run/sendmail.pid rwl, + /{var/,}run/sm-client.pid rwl, + /{var/,}run/utmp rw, + /var/spool/clientmqueue/* rwl, + /var/spool/mail/* rwl, + /var/spool/mqueue/* rwl, + /var/spool/postfix/maildrop/* rwl, + /var/spool/postfix/public/pickup w, + /var/spool/postfix/public/qmgr w, + /var/spool/postfix/public/showq w, + } } Regards, Christian Boltz -- <coolo> ancor: oh, sorry. you can't know yet: coolo is always right [from #opensuse-project]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
