On Thu, Jan 26, 2017 at 09:13:31PM +0100, Christian Boltz wrote:
> Hello,
>
> this patch adds several permissions to the dovecot profiles that are needed
> on ubuntu
> (surprisingly not on openSUSE, maybe it depends on the dovecot config?)
>
> As discussed some weeks ago, the added permissions use only /run/
> instead of /{var/,}run/ (which is hopefully superfluous nowadays).
>
>
> References: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1512131
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for all branches. Thanks!
>
> I propose this patch for trunk, 2.10 and 2.9.
>
>
> [ dovecot-lp1512131.diff ]
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.anvil'
> --- profiles/apparmor.d/usr.lib.dovecot.anvil 2014-06-27 19:14:53 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.anvil 2017-01-26 19:58:29 +0000
> @@ -18,6 +18,7 @@
> capability setuid,
> capability sys_chroot,
>
> + /run/dovecot/anvil rw,
> /usr/lib/dovecot/anvil mr,
>
> # Site-specific additions and overrides. See local/README for details.
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
> --- profiles/apparmor.d/usr.lib.dovecot.auth 2016-12-27 16:46:07 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.auth 2017-01-26 19:59:49 +0000
> @@ -37,6 +37,9 @@
> /var/tmp/sieve_* rw,
> /var/tmp/smtp_* rw,
>
> + /run/dovecot/auth-master rw,
> + /run/dovecot/auth-worker rw,
> + /run/dovecot/login/login rw,
> /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
> /{var/,}run/dovecot/stats-user rw,
> /{var/,}run/dovecot/anvil-auth-penalty rw,
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> --- profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:46:03 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.imap 2017-01-26 20:00:36 +0000
> @@ -21,6 +21,8 @@
> capability setuid,
> deny capability block_suspend,
>
> + network unix stream,
> +
> @{DOVECOT_MAILSTORE}/ rw,
> @{DOVECOT_MAILSTORE}/** rwkl,
>
> @@ -33,6 +35,7 @@
> /usr/bin/doveconf rix,
> /usr/lib/dovecot/imap mrix,
> /usr/share/dovecot/** r,
> + /run/dovecot/login/imap rw,
> /{,var/}run/dovecot/auth-master rw,
> /{,var/}run/dovecot/mounts r,
>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login'
> --- profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-12-22 16:41:59
> +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2017-01-26 20:01:00
> +0000
> @@ -22,6 +22,7 @@
>
> network inet stream,
> network inet6 stream,
> + network unix stream,
>
> /usr/lib/dovecot/imap-login mr,
> /{,var/}run/dovecot/anvil rw,
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params'
> --- profiles/apparmor.d/usr.lib.dovecot.ssl-params 2014-06-27 19:14:53
> +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.ssl-params 2017-01-26 20:01:28
> +0000
> @@ -15,6 +15,7 @@
> #include <abstractions/base>
> #include <abstractions/dovecot-common>
>
> + /run/dovecot/login/ssl-params rw,
> /usr/lib/dovecot/ssl-params mr,
> /var/lib/dovecot/ssl-parameters.dat rw,
> /var/lib/dovecot/ssl-parameters.dat.tmp rwk,
>
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
