Hello,

dovecot 2.x comes with several new binaries in /usr/lib/dovecot. 
This patch adds profiles for

/usr/lib/dovecot/anvil 
/usr/lib/dovecot/auth 
/usr/lib/dovecot/config 
/usr/lib/dovecot/dict 
/usr/lib/dovecot/dovecot-lda 
/usr/lib/dovecot/lmtp 
/usr/lib/dovecot/log 
/usr/lib/dovecot/managesieve 
/usr/lib/dovecot/ssl-params

References: https://bugzilla.novell.com/show_bug.cgi?id=851984


=== added file 'profiles/apparmor.d/usr.lib.dovecot.anvil'
--- profiles/apparmor.d/usr.lib.dovecot.anvil   1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.anvil   2014-01-19 16:08:30 +0000
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/anvil {
+  #include <abstractions/base>
+
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+
+  /usr/lib/dovecot/anvil mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.anvil>
+}

=== added file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth    1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth    2014-01-19 16:08:30 +0000
@@ -0,0 +1,38 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/auth {
+  #include <abstractions/authentication>
+  #include <abstractions/base>
+  #include <abstractions/mysql>
+  #include <abstractions/nameservice>
+
+  deny capability block_suspend,
+
+  capability audit_write,
+  capability setgid,
+  capability setuid,
+
+  /etc/dovecot/dovecot-database.conf.ext r,
+  /etc/dovecot/dovecot-sql.conf.ext r,
+  /usr/lib/dovecot/auth mr,
+
+  # kerberos replay cache
+  /var/tmp/imap_* rw,
+  /var/tmp/pop_* rw,
+  /var/tmp/sieve_* rw,
+  /var/tmp/smtp_* rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.auth>
+}

=== added file 'profiles/apparmor.d/usr.lib.dovecot.config'
--- profiles/apparmor.d/usr.lib.dovecot.config  1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.config  2014-01-19 16:08:30 +0000
@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/config {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/ssl_keys>
+
+  deny capability block_suspend,
+
+  capability dac_override,
+  capability setgid,
+
+
+  /etc/dovecot/** r,
+  /usr/bin/doveconf rix,
+  /usr/lib/dovecot/config mr,
+  /usr/lib/dovecot/managesieve Px,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.config>
+}

=== added file 'profiles/apparmor.d/usr.lib.dovecot.dict'
--- profiles/apparmor.d/usr.lib.dovecot.dict    1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.dict    2014-01-19 16:08:30 +0000
@@ -0,0 +1,31 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/dict {
+  #include <abstractions/base>
+  #include <abstractions/mysql>
+
+  capability setgid,
+  capability setuid,
+
+  network inet stream,
+
+  /etc/dovecot/dovecot-database.conf.ext r,
+  /etc/dovecot/dovecot-dict-sql.conf.ext r,
+  /etc/nsswitch.conf r,
+  /etc/services r,
+  /usr/lib/dovecot/dict mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.dict>
+}

=== added file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-lda'
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda     1970-01-01 00:00:00 
+0000
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda     2014-01-19 16:08:30 
+0000
@@ -0,0 +1,33 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/dovecot-lda {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability setgid,
+  capability setuid,
+
+  @{DOVECOT_MAILSTORE}/ rw,
+  @{DOVECOT_MAILSTORE}/** rwkl,
+
+  /etc/dovecot/** r,
+  /proc/*/mounts r,
+  /{var/,}run/dovecot/mounts r,
+  /usr/bin/doveconf mrix,
+  /usr/lib/dovecot/dovecot-lda mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.dovecot-lda>
+}

=== added file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
--- profiles/apparmor.d/usr.lib.dovecot.lmtp    1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.lmtp    2014-01-19 16:08:30 +0000
@@ -0,0 +1,35 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/lmtp {
+  #include <abstractions/base>
+
+  deny capability block_suspend,
+
+  capability dac_override,
+  capability setgid,
+  capability setuid,
+
+  @{DOVECOT_MAILSTORE}/ rw,
+  @{DOVECOT_MAILSTORE}/** rwkl,
+
+  /etc/resolv.conf r,
+  /proc/*/mounts r,
+  /tmp/dovecot.lmtp.* rw,
+  /usr/lib/dovecot/lmtp mr,
+  /{var/,}run/dovecot/mounts r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.lmtp>
+}

=== added file 'profiles/apparmor.d/usr.lib.dovecot.log'
--- profiles/apparmor.d/usr.lib.dovecot.log     1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.log     2014-01-19 16:08:30 +0000
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/log {
+  #include <abstractions/base>
+
+  deny capability block_suspend,
+
+  capability setgid,
+
+  /usr/lib/dovecot/log mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.log>
+}

=== added file 'profiles/apparmor.d/usr.lib.dovecot.managesieve'
--- profiles/apparmor.d/usr.lib.dovecot.managesieve     1970-01-01 00:00:00 
+0000
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve     2014-01-19 16:08:30 
+0000
@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/managesieve {
+  #include <abstractions/base>
+
+  /etc/dovecot/** r,
+  /usr/bin/doveconf rix,
+  /usr/lib/dovecot/managesieve mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.managesieve>
+}

=== added file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params'
--- profiles/apparmor.d/usr.lib.dovecot.ssl-params      1970-01-01 00:00:00 
+0000
+++ profiles/apparmor.d/usr.lib.dovecot.ssl-params      2014-01-19 16:08:30 
+0000
@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/ssl-params {
+  #include <abstractions/base>
+
+  deny capability block_suspend,
+
+  capability setgid,
+
+  /usr/lib/dovecot/ssl-params mr,
+  /var/lib/dovecot/ssl-parameters.dat rw,
+  /var/lib/dovecot/ssl-parameters.dat.tmp rwk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.ssl-params>
+}


Regards,

Christian Boltz
-- 
Naja, wer in der bekannten närrischen Zeit an jemanden in einer der 
Karnevalsgegenden mailt, muß damit rechnen, daß seine Mail kaum vor 
Freitag beantwortet wird. Vorher sind die Leute da kaum wieder nüchtern 
und ansprechbar. ;)) [Martin Falley in suse-linux]


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to