Hello, the usr.sbin.dovecot profile needs several updates for dovecot 2.x, including - capability dac_override and kill - Px for various binaries in /usr/lib/dovecot/
The patch also adds a nice copyright header (I hope I got the bzr log right ;-) === modified file 'profiles/apparmor.d/usr.sbin.dovecot' --- profiles/apparmor.d/usr.sbin.dovecot 2013-01-02 23:34:38 +0000 +++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-19 17:00:31 +0000 @@ -1,6 +1,17 @@ -# Author: Kees Cook <[email protected]> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2013 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> + /usr/sbin/dovecot { #include <abstractions/authentication> #include <abstractions/base> @@ -9,29 +20,36 @@ #include <abstractions/ssl_keys> capability chown, + capability dac_override, + capability fsetid, + capability kill, capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, - capability fsetid, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/anvil Px, + /usr/lib/dovecot/auth Px, + /usr/lib/dovecot/config Px, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, + /usr/lib/dovecot/log Px, + /usr/lib/dovecot/managesieve Px, + /usr/lib/dovecot/managesieve-login Pxmr, /usr/lib/dovecot/pop3 Px, /usr/lib/dovecot/pop3-login Pxmr, - # temporarily commented out while testing - #/usr/lib/dovecot/managesieve Px, - /usr/lib/dovecot/managesieve-login Pxmr, - /usr/lib/dovecot/ssl-build-param ixr, - /usr/sbin/dovecot mr, + /usr/lib/dovecot/ssl-build-param rix, + /usr/lib/dovecot/ssl-params Px, + /usr/sbin/dovecot mrix, /var/lib/dovecot/ w, - /var/lib/dovecot/* krw, + /var/lib/dovecot/* rwkl, /{,var/}run/dovecot/ rw, /{,var/}run/dovecot/** rw, link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, Regards, Christian Boltz -- [Linux installieren] Ja, aber, wie war es denn nun - am Morgen nach der Installation? Soviel dazu: Erschöpft, aber beruhigt eingeschlafen. Am nächsten Morgen aufgewacht, Rechner eingeschaltet - geweint. Nein, nicht vor Enttäuschung - vor Glück! [Bernd Graff auf www.sueddeutsche.de] -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
