Re: [apparmor] [patch] update some Postfix profiles

Seth Arnold Thu, 17 Aug 2017 15:56:18 -0700

On Fri, Aug 18, 2017 at 12:10:28AM +0200, Christian Boltz wrote:
> Hello,
> 
> $subject.
> - change abstractions/postfix-common to allow /etc/postfix/*.db k
> - add several permissions to postfix/error, postfix/lmtp and postfix/pipe
> - remove superfluous abstractions/kerberosclient from all postfix
>   profiles - it's included via abstractions/nameservice
> 
> I propose this patch for 2.9..trunk.


Acked-by: Seth Arnold <[email protected]>

Acked for everything

Thanks

> 
> Note: the postfix/master, postfix/smtpd and postfix/smtp profiles also 
> need updates, but I don't have them ready yet.
> 
> 
> 
> [ postfix-profiles.diff ]
> 
> === modified file 'profiles/apparmor.d/abstractions/postfix-common'
> --- profiles/apparmor.d/abstractions/postfix-common     2015-04-16 06:32:50 
> +0000
> +++ profiles/apparmor.d/abstractions/postfix-common     2017-08-17 21:28:18 
> +0000
> @@ -22,7 +22,7 @@
>  
>    /etc/mailname         r,
>    /etc/postfix/*.cf     r,
> -  /etc/postfix/*.db     r,
> +  /etc/postfix/*.db     rk,
>    @{PROC}/net/if_inet6  r,
>    /usr/lib/postfix/*.so mr,
>    /usr/lib{,32,64}/sasl2/*    mr,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.anvil'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.anvil     2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.anvil     2017-08-17 
> 21:37:53 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/anvil {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    capability setgid,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.bounce'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.bounce    2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.bounce    2017-08-17 
> 21:37:58 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/bounce {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    capability setgid,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup   2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup   2017-08-17 
> 21:38:21 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/cleanup {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    capability net_bind_service,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.error'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.error     2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.error     2017-08-17 
> 21:37:02 +0000
> @@ -1,6 +1,7 @@
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2002-2006 Novell/SUSE
> +#    Copyright (C) 2017 Christian Boltz
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -13,8 +14,13 @@
>  /usr/lib/postfix/error {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
> -  /usr/lib/postfix/error rmix,
> +  @{PROC}/sys/kernel/ngroups_max r,
> +  /usr/lib/postfix/error mrix,
> +  owner /var/spool/postfix/active/* rwk,
> +  /var/spool/postfix/pid/unix.error rwk,
> +  /var/spool/postfix/pid/unix.retry rwk,
> +  owner /var/spool/postfix/private/defer w,
> +
>  }
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.flush'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.flush     2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.flush     2017-08-17 
> 21:38:30 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/flush {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    capability setgid,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp      2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp      2017-08-17 
> 21:37:41 +0000
> @@ -1,6 +1,7 @@
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2002-2006 Novell/SUSE
> +#    Copyright (C) 2017 Christian Boltz
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -13,8 +14,10 @@
>  /usr/lib/postfix/lmtp {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
> -  /usr/lib/postfix/lmtp rmix,
> +  /usr/lib/postfix/lmtp mrix,
> +  /var/spool/postfix/active/* rwk,
> +  /var/spool/postfix/pid/unix.lmtp rwk,
> +
>  }
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.local'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.local     2016-12-07 
> 19:00:06 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.local     2017-08-17 
> 21:38:39 +0000
> @@ -14,7 +14,6 @@
>    #include <abstractions/base>
>    #include <abstractions/bash>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/user-mail>
>    #include <abstractions/postfix-common>
>  
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.master'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.master    2015-06-25 
> 11:16:49 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.master    2017-08-17 
> 21:38:42 +0000
> @@ -12,7 +12,6 @@
>  
>  /usr/lib/postfix/master {
>    #include <abstractions/base>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/nameservice>
>    #include <abstractions/postfix-common>
>  
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr     2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr     2017-08-17 
> 21:38:44 +0000
> @@ -12,7 +12,6 @@
>  
>  /usr/lib/postfix/nqmgr {
>    #include <abstractions/base>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/nameservice>
>    #include <abstractions/postfix-common>
>  
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.pickup'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.pickup    2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.pickup    2017-08-17 
> 21:38:49 +0000
> @@ -12,7 +12,6 @@
>  
>  /usr/lib/postfix/pickup {
>    #include <abstractions/base>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/nameservice>
>    #include <abstractions/postfix-common>
>  
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.pipe'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.pipe      2010-12-20 
> 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.pipe      2017-08-17 
> 22:00:16 +0000
> @@ -1,6 +1,7 @@
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2006 Novell/SUSE
> +#    Copyright (C) 2017 Christian Boltz
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -12,6 +13,14 @@
>  
>  /usr/lib/postfix/pipe {
>    #include <abstractions/base>
> +  #include <abstractions/nameservice>
> +  #include <abstractions/postfix-common>
>  
> -  /usr/lib/postfix/pipe rmix,
> +  /usr/lib/postfix/pipe mrix,
> +  /var/spool/postfix/active/* rwk,
> +  /var/spool/postfix/private/bounce w,
> +  /var/spool/postfix/private/defer w,
> +  /var/spool/postfix/private/rewrite w,
> +  /var/spool/postfix/private/trace w,
> +
>  }
> 
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr      2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr      2017-08-17 
> 21:38:57 +0000
> @@ -12,7 +12,6 @@
>  
>  /usr/lib/postfix/qmgr {
>    #include <abstractions/base>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/nameservice>
>    #include <abstractions/postfix-common>
>  
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd     2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd     2017-08-17 
> 21:38:59 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/qmqpd {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    /usr/lib/postfix/qmqpd rmix,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.showq'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.showq     2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.showq     2017-08-17 
> 21:39:03 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/showq {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    /usr/lib/postfix/showq                       rmix,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.smtp'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.smtp      2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.smtp      2017-08-17 
> 21:39:06 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/smtp {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>    #include <abstractions/openssl>
>  
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd     2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd     2017-08-17 
> 21:39:08 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/smtpd {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>    #include <abstractions/openssl>
>  
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.spawn'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.spawn     2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.spawn     2017-08-17 
> 21:39:10 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/spawn {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    /usr/lib/postfix/spawn rmix,
> 
> === modified file 
> 'profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite   
> 2014-06-27 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite   
> 2017-08-17 21:39:17 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/trivial-rewrite {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    /usr/lib/postfix/trivial-rewrite            rmix,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.verify'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.verify    2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.verify    2017-08-17 
> 21:39:22 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/verify {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    /usr/lib/postfix/verify rmix,
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.virtual'
> --- profiles/apparmor/profiles/extras/usr.lib.postfix.virtual   2014-06-27 
> 04:32:56 +0000
> +++ profiles/apparmor/profiles/extras/usr.lib.postfix.virtual   2017-08-17 
> 21:39:24 +0000
> @@ -13,7 +13,6 @@
>  /usr/lib/postfix/virtual {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> -  #include <abstractions/kerberosclient>
>    #include <abstractions/postfix-common>
>  
>    capability setgid,
> 
> 
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> Why don't you go troll the *buntu fora for a while?
> [David Haller in opensuse-factory]

Well trolled :)

signature.asc
Description: PGP signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] update some Postfix profiles

Reply via email to