On Thu, Sep 25, 2014 at 11:07:21PM +0200, Christian Boltz wrote:
> Hello,
>
> Darix reported that the dovecot profiles need some additions:
> - usr.lib.dovecot.auth needs /{var/,}run/dovecot/auth-token-secret.dat{,.tmp}
> rw,
> - usr.lib.dovecot.imap requests block_suspend, which I propose to deny as
> usual
> Acked-by: Seth Arnold <[email protected]> Thanks > > Raw log lines from Darix: > > type=AVC msg=audit(1411677636.812:309): apparmor="DENIED" operation="capable" > parent=3419 profile="/usr/lib/dovecot/imap" pid=3432 comm="imap" pid=3432 > comm="imap" capability=36 capname="block_suspend" > > type=AVC msg=audit(1411677633.572:306): apparmor="DENIED" operation="mknod" > parent=3419 profile="/usr/lib/dovecot/auth" > name="/var/run/dovecot/auth-token-secret.dat.tmp" pid=3429 comm="auth" > requested_mask="c" denied_mask="c" fsuid=0 ouid=0 > > type=AVC msg=audit(1411677633.572:305): apparmor="DENIED" operation="open" > parent=3419 profile="/usr/lib/dovecot/auth" > name="/var/run/dovecot/auth-token-secret.dat" pid=3429 comm="auth" > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > > === modified file 'profiles/apparmor.d/usr.lib.dovecot.auth' > --- profiles/apparmor.d/usr.lib.dovecot.auth 2014-08-11 21:16:22 +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.auth 2014-09-25 20:47:19 +0000 > @@ -36,6 +36,8 @@ > /var/tmp/sieve_* rw, > /var/tmp/smtp_* rw, > > + /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw, > + > # Site-specific additions and overrides. See local/README for details. > #include <local/usr.lib.dovecot.auth> > } > > === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' > --- profiles/apparmor.d/usr.lib.dovecot.imap 2014-06-27 19:14:53 +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-09-25 20:45:09 +0000 > @@ -19,6 +19,7 @@ > #include <abstractions/dovecot-common> > > capability setuid, > + deny capability block_suspend, > > @{DOVECOT_MAILSTORE}/ rw, > @{DOVECOT_MAILSTORE}/** rwkl, > > > > > Regards, > > Christian Boltz > -- > You took a sledge hammer to a meeting with the school principle and > found him carring a 9mm. :^) [Patrick Shanahan in opensuse-factory] > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor >
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
