Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2014-01-30 11:23:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2014-01-23 15:39:45.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2014-01-30 11:23:15.000000000 +0100 @@ -1,0 +2,14 @@ +Sun Jan 26 14:46:43 UTC 2014 - [email protected] + +- update apparmor-2.8.2-nm-dnsmasq-config.patch - allow access to pid file + and supplemental config directory (by develop7) +- update apparmor-profiles-dovecot-bnc851984.diff: + - do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary + - add abstractions/mysql + - allow execution of some more /usr/lib/dovecot/* binaries + - better restrict access to /var/spool/postfix/private/ +- update usr.lib.dovecot.auth to allow to read mysql config files +- update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp: + add abstractions/nameservice instead of allowing more and more files + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor-2.8.2-nm-dnsmasq-config.patch ++++++ --- /var/tmp/diff_new_pack.AEWqk2/_old 2014-01-30 11:23:16.000000000 +0100 +++ /var/tmp/diff_new_pack.AEWqk2/_new 2014-01-30 11:23:16.000000000 +0100 @@ -2,12 +2,16 @@ =================================================================== --- profiles/apparmor.d/usr.sbin.dnsmasq.orig +++ profiles/apparmor.d/usr.sbin.dnsmasq -@@ -54,6 +54,8 @@ +@@ -54,6 +54,12 @@ # NetworkManager integration /{,var/}run/nm-dns-dnsmasq.conf r, /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w, + # new dnsmasq config path (as of 2012-11-05) + /{,var/}run/NetworkManager/dnsmasq.conf r, ++ /{,var/}run/NetworkManager/dnsmasq.pid w, ++ # dnsmasq supplemental config directory ++ /etc/NetworkManager/dnsmasq.d/ r, ++ /etc/NetworkManager/dnsmasq.d/* r, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.dnsmasq> ++++++ apparmor-profiles-dovecot-bnc851984.diff ++++++ --- /var/tmp/diff_new_pack.AEWqk2/_old 2014-01-30 11:23:16.000000000 +0100 +++ /var/tmp/diff_new_pack.AEWqk2/_new 2014-01-30 11:23:16.000000000 +0100 @@ -1,6 +1,7 @@ -diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver ---- profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-01 19:22:33.468445136 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.deliver +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.deliver.orig 2012-01-06 17:34:44.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-26 15:48:52.227261272 +0100 @@ -1,6 +1,19 @@ -# Author: Dulmandakh Sukhbaatar <[email protected]> +# ------------------------------------------------------------------ @@ -48,9 +49,10 @@ # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.deliver> -diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.dovecot-auth ---- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-01 19:18:33.183586607 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.dovecot-auth +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth.orig 2011-08-27 03:51:03.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-26 15:48:52.227261272 +0100 @@ -1,6 +1,17 @@ -# Author: Kees Cook <[email protected]> +# ------------------------------------------------------------------ @@ -70,9 +72,10 @@ /usr/lib/dovecot/dovecot-auth { #include <abstractions/authentication> #include <abstractions/base> -diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap ---- profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 21:59:34.990459644 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.imap +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.imap.orig 2011-08-27 01:12:10.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-26 15:48:52.227261272 +0100 @@ -1,6 +1,18 @@ -# Author: Kees Cook <[email protected]> +# ------------------------------------------------------------------ @@ -116,9 +119,10 @@ # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.imap> -diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap-login ---- profiles/apparmor.d/usr.lib.dovecot.imap-login 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-01 19:21:43.299398259 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.imap-login +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.imap-login.orig 2012-04-05 23:51:17.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-26 15:48:52.228261212 +0100 @@ -1,4 +1,14 @@ -# Author: Kees Cook <[email protected]> +# ------------------------------------------------------------------ @@ -135,9 +139,10 @@ #include <tunables/global> /usr/lib/dovecot/imap-login { -diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovecot.managesieve-login ---- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-01 19:21:23.986535007 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig 2011-07-14 14:57:57.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-26 15:48:52.228261212 +0100 @@ -1,4 +1,15 @@ -# Author: Dulmandakh Sukhbaatar <[email protected]> +# ------------------------------------------------------------------ @@ -155,9 +160,10 @@ #include <tunables/global> /usr/lib/dovecot/managesieve-login { -diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3 ---- profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:00:13.820132421 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.pop3 +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.pop3.orig 2011-08-27 01:12:10.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-26 15:48:52.228261212 +0100 @@ -1,6 +1,18 @@ -# Author: Kees Cook <[email protected]> +# ------------------------------------------------------------------ @@ -196,9 +202,10 @@ /usr/lib/dovecot/pop3 mr, # Site-specific additions and overrides. See local/README for details. -diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3-login ---- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-01 19:26:54.614068901 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.pop3-login +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.pop3-login.orig 2011-07-14 14:57:57.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-26 15:48:52.228261212 +0100 @@ -1,6 +1,17 @@ -# Author: Kees Cook <[email protected]> +# ------------------------------------------------------------------ @@ -218,10 +225,11 @@ /usr/lib/dovecot/pop3-login { #include <abstractions/base> #include <abstractions/nameservice> -diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot ---- profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:01:14.209513153 +0100 -@@ -1,6 +1,18 @@ +Index: profiles/apparmor.d/usr.sbin.dovecot +=================================================================== +--- profiles/apparmor.d/usr.sbin.dovecot.orig 2011-10-12 13:05:00.000000000 +0200 ++++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 16:09:40.262068251 +0100 +@@ -1,37 +1,61 @@ -# Author: Kees Cook <[email protected]> +# ------------------------------------------------------------------ +# @@ -236,12 +244,13 @@ +# vim: ft=apparmor #include <tunables/global> -+#include <tunables/dovecot> + /usr/sbin/dovecot { #include <abstractions/authentication> #include <abstractions/base> -@@ -9,29 +21,42 @@ ++ #include <abstractions/mysql> + #include <abstractions/nameservice> + #include <abstractions/ssl_certs> #include <abstractions/ssl_keys> capability chown, @@ -253,24 +262,22 @@ capability setuid, capability sys_chroot, - capability fsetid, -+ -+ -+ -+ @{DOVECOT_MAILSTORE}/ rw, -+ @{DOVECOT_MAILSTORE}/** rwkl, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/[0-9]*/mounts r, ++ @{PROC}/filesystems r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/anvil Px, + /usr/lib/dovecot/auth Px, + /usr/lib/dovecot/config Px, ++ /usr/lib/dovecot/dict Px, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, ++ /usr/lib/dovecot/lmtp Px, + /usr/lib/dovecot/log Px, + /usr/lib/dovecot/managesieve Px, + /usr/lib/dovecot/managesieve-login Pxmr, @@ -287,8 +294,8 @@ /var/lib/dovecot/ w, - /var/lib/dovecot/* krw, + /var/lib/dovecot/* rwkl, -+ /var/spool/postfix/private/* w, ++ /var/spool/postfix/private/auth w, ++ /var/spool/postfix/private/dovecot-lmtp w, /{,var/}run/dovecot/ rw, /{,var/}run/dovecot/** rw, link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, - ++++++ usr.lib.dovecot.auth ++++++ --- /var/tmp/diff_new_pack.AEWqk2/_old 2014-01-30 11:23:16.000000000 +0100 +++ /var/tmp/diff_new_pack.AEWqk2/_new 2014-01-30 11:23:16.000000000 +0100 @@ -23,6 +23,10 @@ capability setgid, capability setuid, + /etc/my.cnf r, + /etc/my.cnf.d/ r, + /etc/my.cnf.d/*.cnf r, + /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-sql.conf.ext r, /usr/lib/dovecot/auth mr, ++++++ usr.lib.dovecot.dict ++++++ --- /var/tmp/diff_new_pack.AEWqk2/_old 2014-01-30 11:23:16.000000000 +0100 +++ /var/tmp/diff_new_pack.AEWqk2/_new 2014-01-30 11:23:16.000000000 +0100 @@ -14,6 +14,7 @@ /usr/lib/dovecot/dict { #include <abstractions/base> #include <abstractions/mysql> + #include <abstractions/nameservice> capability setgid, capability setuid, @@ -22,8 +23,6 @@ /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-dict-sql.conf.ext r, - /etc/nsswitch.conf r, - /etc/services r, /usr/lib/dovecot/dict mr, # Site-specific additions and overrides. See local/README for details. ++++++ usr.lib.dovecot.lmtp ++++++ --- /var/tmp/diff_new_pack.AEWqk2/_old 2014-01-30 11:23:16.000000000 +0100 +++ /var/tmp/diff_new_pack.AEWqk2/_new 2014-01-30 11:23:16.000000000 +0100 @@ -14,6 +14,7 @@ /usr/lib/dovecot/lmtp { #include <abstractions/base> + #include <abstractions/nameservice> deny capability block_suspend, @@ -24,7 +25,6 @@ @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, - /etc/resolv.conf r, /proc/*/mounts r, /tmp/dovecot.lmtp.* rw, /usr/lib/dovecot/lmtp mr, -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
