Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2014-01-05 11:31:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2013-11-26 14:40:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2014-01-05 11:31:06.000000000 +0100 @@ -1,0 +2,22 @@ +Sat Jan 4 12:04:25 UTC 2014 - opens...@cboltz.de + +- add apparmor-profiles-samba-create-dirs.diff to allow samba to + mkdir /var/run/samba and /var/cache/samba (bnc#856651) +- add abstractions/samba to usr.sbin.winbindd profile +- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131) + +- update dovecot profiles to support dovecot 2.x, and add profiles for + the parts of dovecot that were not covered yet (bnc#851984) + NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs. + (apparmor-profiles-dovecot-bnc851984.diff, usr.lib.dovecot.*) + +- %restart_on_update (in parser %postun) is "translated" to stop/start by + the systemd wrapper, which removes AppArmor protection from running + processes. Fixed by using a custom script instead (bnc#853019) + NOTE: The %postun from the previously installed apparmor-parser package + will remove AppArmor protection from running processes a last time. + Run aa-status to get a list of processes you need to restart, or reboot + your computer. +- reload profiles in %post of the apparmor-profiles package + +------------------------------------------------------------------- New: ---- apparmor-profiles-dovecot-bnc851984.diff apparmor-profiles-samba-create-dirs.diff tunables-dovecot usr.lib.dovecot.anvil usr.lib.dovecot.auth usr.lib.dovecot.config usr.lib.dovecot.dict usr.lib.dovecot.dovecot-lda usr.lib.dovecot.lmtp usr.lib.dovecot.log usr.lib.dovecot.managesieve usr.lib.dovecot.ssl-params ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.QYzggX/_old 2014-01-05 11:31:08.000000000 +0100 +++ /var/tmp/diff_new_pack.QYzggX/_new 2014-01-05 11:31:08.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package apparmor # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -79,6 +79,18 @@ # profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078) Source10: usr.sbin.winbindd +# profiles for dovecot 2.x (bnc#851984) +Source20: usr.lib.dovecot.anvil +Source21: usr.lib.dovecot.auth +Source22: usr.lib.dovecot.config +Source23: usr.lib.dovecot.dict +Source24: usr.lib.dovecot.dovecot-lda +Source25: usr.lib.dovecot.lmtp +Source26: usr.lib.dovecot.log +Source27: usr.lib.dovecot.managesieve +Source28: usr.lib.dovecot.ssl-params +Source29: tunables-dovecot + # enable caching of profiles (= massive performance speedup when loading profiles) Patch1: apparmor-enable-profile-cache.diff @@ -124,6 +136,12 @@ # abstractions/ssl_certs - add /var/lib/ca-certificates/ - bnc#852018 - commited upstream trunk r2255, 2.8 branch r2105 Patch15: apparmor-abstractions-ssl_certs.diff +# abstractions/samba - allow mkdir /var/run/samba and /var/cache/samba - bnc#856651 - commited upstream trunk r2293, 2.8 branch r2106 +Patch16: apparmor-profiles-samba-create-dirs.diff + +# update dovecot profiles for dovecot 2.x (bnc#851984, not upstreamed yet) +Patch17: apparmor-profiles-dovecot-bnc851984.diff + # create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7 Patch21: apparmor-utils-subdomain-compat @@ -500,6 +518,8 @@ %patch13 %patch14 %patch15 +%patch16 +%patch17 # only create Immunix::SubDomain perl module for openSUSE <= 12.1 %if 0%{?suse_version} @@ -517,6 +537,11 @@ test ! -e profiles/apparmor.d/usr.sbin.winbindd cp %{SOURCE10} profiles/apparmor.d/ +# profiles for dovecot 2.x (bnc#851984) +test ! -e profiles/apparmor.d/tunables/dovecot +cp %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27} %{SOURCE28} profiles/apparmor.d/ +cp %{SOURCE29} profiles/apparmor.d/tunables/dovecot + %build echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 @@ -925,10 +950,31 @@ %postun parser %if %{distro} == "suse" - %restart_on_update boot.apparmor + #restart_on_update boot.apparmor - but non-broken (bnc#853019) + test -n "$FIRST_ARG" || FIRST_ARG=$1 + if test "$FIRST_ARG" -ge 1 ; then + if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then + test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || : + fi + fi + %{insserv_cleanup} || true %endif +%post profiles +%if %{distro} == "suse" + #restart_on_update boot.apparmor - but non-broken (bnc#853019) + # (copy&paste from parser postun script) + test -n "$FIRST_ARG" || FIRST_ARG=$1 + if test "$FIRST_ARG" -ge 1 ; then + if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then + test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || : + fi + fi +%endif + %post -n libapparmor1 -p /sbin/ldconfig %postun -n libapparmor1 -p /sbin/ldconfig ++++++ apparmor-profiles-dovecot-bnc851984.diff ++++++ diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver --- profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-30 22:43:37.000000000 +0100 +++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-01 19:22:33.468445136 +0100 @@ -1,6 +1,19 @@ -# Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmand...@gmail.com> +# Copyright (C) 2009-2012 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/deliver { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,20 +21,16 @@ capability setgid, capability setuid, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + # http://www.postfix.org/SASL_README.html#server_dovecot /etc/dovecot/dovecot.conf r, /etc/dovecot/{auth,conf}.d/*.conf r, - /etc/dovecot/dovecot-postfix.conf r, + /etc/dovecot/dovecot-postfix.conf r, # ??? - @{HOME} r, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, - @{HOME}/mail/ rw, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, + @{HOME} r, # ??? /usr/lib/dovecot/deliver mr, - /var/mail/* klrw, - /var/spool/mail/* klrw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.deliver> diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.dovecot-auth --- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-12-30 22:43:37.000000000 +0100 +++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-01 19:18:33.183586607 +0100 @@ -1,6 +1,17 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2013 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> + /usr/lib/dovecot/dovecot-auth { #include <abstractions/authentication> #include <abstractions/base> diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap --- profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 22:43:37.000000000 +0100 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 21:59:34.990459644 +0100 @@ -1,6 +1,18 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/imap { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,18 +20,11 @@ capability setgid, capability setuid, - @{HOME} r, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, - @{HOME}/Mail/ rw, - @{HOME}/Mail/* klrw, - @{HOME}/Mail/.imap/** klrw, - @{HOME}/mail/ rw, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? /usr/lib/dovecot/imap mr, - /var/mail/* klrw, - /var/spool/mail/* klrw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.imap> diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap-login --- profiles/apparmor.d/usr.lib.dovecot.imap-login 2013-12-30 22:43:37.000000000 +0100 +++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-01 19:21:43.299398259 +0100 @@ -1,4 +1,14 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/imap-login { diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovecot.managesieve-login --- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2013-12-30 22:43:37.000000000 +0100 +++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-01 19:21:23.986535007 +0100 @@ -1,4 +1,15 @@ -# Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com> +# ------------------------------------------------------------------ +# +# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmand...@gmail.com> +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/managesieve-login { diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3 --- profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:43:37.000000000 +0100 +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:00:13.820132421 +0100 @@ -1,6 +1,18 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/pop3 { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,13 +20,10 @@ capability setgid, capability setuid, - /var/mail/* klrw, - /var/spool/mail/* klrw, - @{HOME} r, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? /usr/lib/dovecot/pop3 mr, # Site-specific additions and overrides. See local/README for details. diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3-login --- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2013-12-30 22:43:37.000000000 +0100 +++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-01 19:26:54.614068901 +0100 @@ -1,6 +1,17 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> + /usr/lib/dovecot/pop3-login { #include <abstractions/base> #include <abstractions/nameservice> diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot --- profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:43:37.000000000 +0100 +++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:01:14.209513153 +0100 @@ -1,6 +1,18 @@ -# Author: Kees Cook <k...@ubuntu.com> +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2013 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor #include <tunables/global> +#include <tunables/dovecot> + /usr/sbin/dovecot { #include <abstractions/authentication> #include <abstractions/base> @@ -9,29 +21,42 @@ #include <abstractions/ssl_keys> capability chown, + capability dac_override, + capability fsetid, + capability kill, capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, - capability fsetid, + + + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/[0-9]*/mounts r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/anvil Px, + /usr/lib/dovecot/auth Px, + /usr/lib/dovecot/config Px, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, + /usr/lib/dovecot/log Px, + /usr/lib/dovecot/managesieve Px, + /usr/lib/dovecot/managesieve-login Pxmr, /usr/lib/dovecot/pop3 Px, /usr/lib/dovecot/pop3-login Pxmr, - # temporarily commented out while testing - #/usr/lib/dovecot/managesieve Px, - /usr/lib/dovecot/managesieve-login Pxmr, - /usr/lib/dovecot/ssl-build-param ixr, - /usr/sbin/dovecot mr, + /usr/lib/dovecot/ssl-build-param rix, + /usr/lib/dovecot/ssl-params Px, + /usr/sbin/dovecot mrix, /var/lib/dovecot/ w, - /var/lib/dovecot/* krw, + /var/lib/dovecot/* rwkl, + /var/spool/postfix/private/* w, /{,var/}run/dovecot/ rw, /{,var/}run/dovecot/** rw, link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, ++++++ apparmor-profiles-samba-create-dirs.diff ++++++ === modified file 'profiles/apparmor.d/abstractions/samba' --- profiles/apparmor.d/abstractions/samba 2013-11-20 00:11:01 +0000 +++ profiles/apparmor.d/abstractions/samba 2013-12-23 12:28:06 +0000 @@ -12,9 +12,11 @@ /etc/samba/* r, /usr/share/samba/*.dat r, /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, + /var/cache/samba/ w, /var/lib/samba/**.tdb rwk, /var/log/samba/cores/ rw, /var/log/samba/cores/** rw, /var/log/samba/log.* w, + /{,var/}run/samba/ w, /{,var/}run/samba/*.tdb rw, ++++++ tunables-dovecot ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim:ft=apparmor # @{DOVECOT_MAILSTORE} is a space-separated list of all directories # where dovecot is allowed to store and read mails # # The default value is quite broad to avoid breaking existing setups. # Please change @{DOVECOT_MAILSTORE} to (only) contain the directory # you use, and remove everything else. @{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/ ++++++ usr.lib.dovecot.anvil ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/anvil { #include <abstractions/base> capability setgid, capability setuid, capability sys_chroot, /usr/lib/dovecot/anvil mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.anvil> } ++++++ usr.lib.dovecot.auth ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/auth { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/mysql> #include <abstractions/nameservice> deny capability block_suspend, capability audit_write, capability setgid, capability setuid, /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-sql.conf.ext r, /usr/lib/dovecot/auth mr, # kerberos replay cache /var/tmp/imap_* rw, /var/tmp/pop_* rw, /var/tmp/sieve_* rw, /var/tmp/smtp_* rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.auth> } ++++++ usr.lib.dovecot.config ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/config { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/ssl_keys> deny capability block_suspend, capability dac_override, capability setgid, /etc/dovecot/** r, /usr/bin/doveconf rix, /usr/lib/dovecot/config mr, /usr/lib/dovecot/managesieve Px, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.config> } ++++++ usr.lib.dovecot.dict ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/dict { #include <abstractions/base> #include <abstractions/mysql> capability setgid, capability setuid, network inet stream, /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-dict-sql.conf.ext r, /etc/nsswitch.conf r, /etc/services r, /usr/lib/dovecot/dict mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.dict> } ++++++ usr.lib.dovecot.dovecot-lda ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> #include <tunables/dovecot> /usr/lib/dovecot/dovecot-lda { #include <abstractions/base> #include <abstractions/nameservice> capability setgid, capability setuid, @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, /etc/dovecot/** r, /proc/*/mounts r, /{var/,}run/dovecot/mounts r, /usr/bin/doveconf mrix, /usr/lib/dovecot/dovecot-lda mrix, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.dovecot-lda> } ++++++ usr.lib.dovecot.lmtp ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> #include <tunables/dovecot> /usr/lib/dovecot/lmtp { #include <abstractions/base> capability dac_override, capability setgid, capability setuid, @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, /etc/resolv.conf r, /usr/lib/dovecot/lmtp mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.lmtp> } ++++++ usr.lib.dovecot.log ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/log { #include <abstractions/base> deny capability block_suspend, capability setgid, /usr/lib/dovecot/log mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.log> } ++++++ usr.lib.dovecot.managesieve ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/managesieve { #include <abstractions/base> /etc/dovecot/** r, /usr/bin/doveconf rix, /usr/lib/dovecot/managesieve mrix, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.managesieve> } ++++++ usr.lib.dovecot.ssl-params ++++++ # ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim: ft=apparmor #include <tunables/global> /usr/lib/dovecot/ssl-params { #include <abstractions/base> deny capability block_suspend, capability setgid, /usr/lib/dovecot/ssl-params mr, /var/lib/dovecot/ssl-parameters.dat rw, /var/lib/dovecot/ssl-parameters.dat.tmp rwk, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.ssl-params> } ++++++ usr.sbin.winbindd ++++++ --- /var/tmp/diff_new_pack.QYzggX/_old 2014-01-05 11:31:08.000000000 +0100 +++ /var/tmp/diff_new_pack.QYzggX/_new 2014-01-05 11:31:08.000000000 +0100 @@ -3,9 +3,13 @@ /usr/sbin/winbindd { #include <abstractions/base> #include <abstractions/nameservice> + #include <abstractions/samba> deny capability block_suspend, + capability ipc_lock, + capability setuid, + /etc/samba/dhcp.conf r, /etc/samba/passdb.tdb rwk, /etc/samba/secrets.tdb rwk, @@ -20,10 +24,9 @@ /var/cache/samba/*.tdb rwk, /var/cache/samba/netsamlogon_cache.tdb rw, - /var/lib/samba/smb_krb5/krb5.conf.* w, + /var/lib/samba/smb_krb5/krb5.conf.* rw, /var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/**.tdb rwk, - /var/log/samba/log.winbindd-dc-connect a, /var/lib/samba/winbindd_cache.tdb* rwk, /var/lib/samba/winbindd_privileged/pipe w, @@ -33,6 +36,7 @@ /var/log/samba/log.wb-* w, /var/log/samba/log.winbindd rw, /var/log/samba/log.winbindd-idmap w, + /var/log/samba/log.winbindd-dc-connect a, /{var/,}run/samba/winbindd.pid rwk, /{var/,}run/samba/winbindd/ rw, /{var/,}run/samba/winbindd/pipe w, -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org