Hello, dovecot 2.x comes with several new binaries in /usr/lib/dovecot. This patch adds profiles for
/usr/lib/dovecot/anvil /usr/lib/dovecot/auth /usr/lib/dovecot/config /usr/lib/dovecot/dict /usr/lib/dovecot/dovecot-lda /usr/lib/dovecot/lmtp /usr/lib/dovecot/log /usr/lib/dovecot/managesieve /usr/lib/dovecot/ssl-params References: https://bugzilla.novell.com/show_bug.cgi?id=851984 === added file 'profiles/apparmor.d/usr.lib.dovecot.anvil' --- profiles/apparmor.d/usr.lib.dovecot.anvil 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.anvil 2014-01-19 16:08:30 +0000 @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> + +/usr/lib/dovecot/anvil { + #include <abstractions/base> + + capability setgid, + capability setuid, + capability sys_chroot, + + /usr/lib/dovecot/anvil mr, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.anvil> +} === added file 'profiles/apparmor.d/usr.lib.dovecot.auth' --- profiles/apparmor.d/usr.lib.dovecot.auth 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.auth 2014-01-19 16:08:30 +0000 @@ -0,0 +1,38 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> + +/usr/lib/dovecot/auth { + #include <abstractions/authentication> + #include <abstractions/base> + #include <abstractions/mysql> + #include <abstractions/nameservice> + + deny capability block_suspend, + + capability audit_write, + capability setgid, + capability setuid, + + /etc/dovecot/dovecot-database.conf.ext r, + /etc/dovecot/dovecot-sql.conf.ext r, + /usr/lib/dovecot/auth mr, + + # kerberos replay cache + /var/tmp/imap_* rw, + /var/tmp/pop_* rw, + /var/tmp/sieve_* rw, + /var/tmp/smtp_* rw, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.auth> +} === added file 'profiles/apparmor.d/usr.lib.dovecot.config' --- profiles/apparmor.d/usr.lib.dovecot.config 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.config 2014-01-19 16:08:30 +0000 @@ -0,0 +1,32 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> + +/usr/lib/dovecot/config { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/ssl_keys> + + deny capability block_suspend, + + capability dac_override, + capability setgid, + + + /etc/dovecot/** r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/config mr, + /usr/lib/dovecot/managesieve Px, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.config> +} === added file 'profiles/apparmor.d/usr.lib.dovecot.dict' --- profiles/apparmor.d/usr.lib.dovecot.dict 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-19 16:08:30 +0000 @@ -0,0 +1,31 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> + +/usr/lib/dovecot/dict { + #include <abstractions/base> + #include <abstractions/mysql> + + capability setgid, + capability setuid, + + network inet stream, + + /etc/dovecot/dovecot-database.conf.ext r, + /etc/dovecot/dovecot-dict-sql.conf.ext r, + /etc/nsswitch.conf r, + /etc/services r, + /usr/lib/dovecot/dict mr, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.dict> +} === added file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-lda' --- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2014-01-19 16:08:30 +0000 @@ -0,0 +1,33 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> +#include <tunables/dovecot> + +/usr/lib/dovecot/dovecot-lda { + #include <abstractions/base> + #include <abstractions/nameservice> + + capability setgid, + capability setuid, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + /etc/dovecot/** r, + /proc/*/mounts r, + /{var/,}run/dovecot/mounts r, + /usr/bin/doveconf mrix, + /usr/lib/dovecot/dovecot-lda mrix, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.dovecot-lda> +} === added file 'profiles/apparmor.d/usr.lib.dovecot.lmtp' --- profiles/apparmor.d/usr.lib.dovecot.lmtp 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-19 16:08:30 +0000 @@ -0,0 +1,35 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> +#include <tunables/dovecot> + +/usr/lib/dovecot/lmtp { + #include <abstractions/base> + + deny capability block_suspend, + + capability dac_override, + capability setgid, + capability setuid, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + /etc/resolv.conf r, + /proc/*/mounts r, + /tmp/dovecot.lmtp.* rw, + /usr/lib/dovecot/lmtp mr, + /{var/,}run/dovecot/mounts r, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.lmtp> +} === added file 'profiles/apparmor.d/usr.lib.dovecot.log' --- profiles/apparmor.d/usr.lib.dovecot.log 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.log 2014-01-19 16:08:30 +0000 @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> + +/usr/lib/dovecot/log { + #include <abstractions/base> + + deny capability block_suspend, + + capability setgid, + + /usr/lib/dovecot/log mr, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.log> +} === added file 'profiles/apparmor.d/usr.lib.dovecot.managesieve' --- profiles/apparmor.d/usr.lib.dovecot.managesieve 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.managesieve 2014-01-19 16:08:30 +0000 @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> + +/usr/lib/dovecot/managesieve { + #include <abstractions/base> + + /etc/dovecot/** r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/managesieve mrix, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.managesieve> +} === added file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params' --- profiles/apparmor.d/usr.lib.dovecot.ssl-params 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.ssl-params 2014-01-19 16:08:30 +0000 @@ -0,0 +1,27 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include <tunables/global> + +/usr/lib/dovecot/ssl-params { + #include <abstractions/base> + + deny capability block_suspend, + + capability setgid, + + /usr/lib/dovecot/ssl-params mr, + /var/lib/dovecot/ssl-parameters.dat rw, + /var/lib/dovecot/ssl-parameters.dat.tmp rwk, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.dovecot.ssl-params> +} Regards, Christian Boltz -- Naja, wer in der bekannten närrischen Zeit an jemanden in einer der Karnevalsgegenden mailt, muß damit rechnen, daß seine Mail kaum vor Freitag beantwortet wird. Vorher sind die Leute da kaum wieder nüchtern und ansprechbar. ;)) [Martin Falley in suse-linux] -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
