Hello community,
here is the log from the commit of package apparmor for openSUSE:Factory
checked in at 2014-01-05 11:31:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apparmor (Old)
and /work/SRC/openSUSE:Factory/.apparmor.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor"
Changes:
--------
--- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2013-11-26
14:40:16.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2014-01-05
11:31:06.000000000 +0100
@@ -1,0 +2,22 @@
+Sat Jan 4 12:04:25 UTC 2014 - opens...@cboltz.de
+
+- add apparmor-profiles-samba-create-dirs.diff to allow samba to
+ mkdir /var/run/samba and /var/cache/samba (bnc#856651)
+- add abstractions/samba to usr.sbin.winbindd profile
+- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile
(bnc#851131)
+
+- update dovecot profiles to support dovecot 2.x, and add profiles for
+ the parts of dovecot that were not covered yet (bnc#851984)
+ NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs.
+ (apparmor-profiles-dovecot-bnc851984.diff, usr.lib.dovecot.*)
+
+- %restart_on_update (in parser %postun) is "translated" to stop/start by
+ the systemd wrapper, which removes AppArmor protection from running
+ processes. Fixed by using a custom script instead (bnc#853019)
+ NOTE: The %postun from the previously installed apparmor-parser package
+ will remove AppArmor protection from running processes a last time.
+ Run aa-status to get a list of processes you need to restart, or reboot
+ your computer.
+- reload profiles in %post of the apparmor-profiles package
+
+-------------------------------------------------------------------
New:
----
apparmor-profiles-dovecot-bnc851984.diff
apparmor-profiles-samba-create-dirs.diff
tunables-dovecot
usr.lib.dovecot.anvil
usr.lib.dovecot.auth
usr.lib.dovecot.config
usr.lib.dovecot.dict
usr.lib.dovecot.dovecot-lda
usr.lib.dovecot.lmtp
usr.lib.dovecot.log
usr.lib.dovecot.managesieve
usr.lib.dovecot.ssl-params
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apparmor.spec ++++++
--- /var/tmp/diff_new_pack.QYzggX/_old 2014-01-05 11:31:08.000000000 +0100
+++ /var/tmp/diff_new_pack.QYzggX/_new 2014-01-05 11:31:08.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package apparmor
#
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -79,6 +79,18 @@
# profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078)
Source10: usr.sbin.winbindd
+# profiles for dovecot 2.x (bnc#851984)
+Source20: usr.lib.dovecot.anvil
+Source21: usr.lib.dovecot.auth
+Source22: usr.lib.dovecot.config
+Source23: usr.lib.dovecot.dict
+Source24: usr.lib.dovecot.dovecot-lda
+Source25: usr.lib.dovecot.lmtp
+Source26: usr.lib.dovecot.log
+Source27: usr.lib.dovecot.managesieve
+Source28: usr.lib.dovecot.ssl-params
+Source29: tunables-dovecot
+
# enable caching of profiles (= massive performance speedup when loading
profiles)
Patch1: apparmor-enable-profile-cache.diff
@@ -124,6 +136,12 @@
# abstractions/ssl_certs - add /var/lib/ca-certificates/ - bnc#852018 -
commited upstream trunk r2255, 2.8 branch r2105
Patch15: apparmor-abstractions-ssl_certs.diff
+# abstractions/samba - allow mkdir /var/run/samba and /var/cache/samba -
bnc#856651 - commited upstream trunk r2293, 2.8 branch r2106
+Patch16: apparmor-profiles-samba-create-dirs.diff
+
+# update dovecot profiles for dovecot 2.x (bnc#851984, not upstreamed yet)
+Patch17: apparmor-profiles-dovecot-bnc851984.diff
+
# create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 -
bnc#720617 #c7
Patch21: apparmor-utils-subdomain-compat
@@ -500,6 +518,8 @@
%patch13
%patch14
%patch15
+%patch16
+%patch17
# only create Immunix::SubDomain perl module for openSUSE <= 12.1
%if 0%{?suse_version}
@@ -517,6 +537,11 @@
test ! -e profiles/apparmor.d/usr.sbin.winbindd
cp %{SOURCE10} profiles/apparmor.d/
+# profiles for dovecot 2.x (bnc#851984)
+test ! -e profiles/apparmor.d/tunables/dovecot
+cp %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25}
%{SOURCE26} %{SOURCE27} %{SOURCE28} profiles/apparmor.d/
+cp %{SOURCE29} profiles/apparmor.d/tunables/dovecot
+
%build
echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} #
test if _libdir breaks it or if it's broken by default on <= 12.1
@@ -925,10 +950,31 @@
%postun parser
%if %{distro} == "suse"
- %restart_on_update boot.apparmor
+ #restart_on_update boot.apparmor - but non-broken (bnc#853019)
+ test -n "$FIRST_ARG" || FIRST_ARG=$1
+ if test "$FIRST_ARG" -ge 1 ; then
+ if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" !=
yes ; then
+ test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1
|| :
+ /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor
reload || :
+ fi
+ fi
+
%{insserv_cleanup} || true
%endif
+%post profiles
+%if %{distro} == "suse"
+ #restart_on_update boot.apparmor - but non-broken (bnc#853019)
+ # (copy&paste from parser postun script)
+ test -n "$FIRST_ARG" || FIRST_ARG=$1
+ if test "$FIRST_ARG" -ge 1 ; then
+ if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" !=
yes ; then
+ test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1
|| :
+ /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor
reload || :
+ fi
+ fi
+%endif
+
%post -n libapparmor1 -p /sbin/ldconfig
%postun -n libapparmor1 -p /sbin/ldconfig
++++++ apparmor-profiles-dovecot-bnc851984.diff ++++++
diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver
--- profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-30 22:43:37.000000000
+0100
+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-01 19:22:33.468445136
+0100
@@ -1,6 +1,19 @@
-# Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmand...@gmail.com>
+# Copyright (C) 2009-2012 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/deliver {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,20 +21,16 @@
capability setgid,
capability setuid,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
# http://www.postfix.org/SASL_README.html#server_dovecot
/etc/dovecot/dovecot.conf r,
/etc/dovecot/{auth,conf}.d/*.conf r,
- /etc/dovecot/dovecot-postfix.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{HOME} r, # ???
/usr/lib/dovecot/deliver mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.deliver>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
./usr.lib.dovecot.dovecot-auth
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-12-30
22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-01
19:18:33.183586607 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <k...@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/dovecot-auth {
#include <abstractions/authentication>
#include <abstractions/base>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap
--- profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 22:43:37.000000000
+0100
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 21:59:34.990459644
+0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <k...@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/imap {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,18 +20,11 @@
capability setgid,
capability setuid,
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/Mail/ rw,
- @{HOME}/Mail/* klrw,
- @{HOME}/Mail/.imap/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/imap mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.imap>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login
./usr.lib.dovecot.imap-login
--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2013-12-30
22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-01
19:21:43.299398259 +0100
@@ -1,4 +1,14 @@
-# Author: Kees Cook <k...@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/imap-login {
diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login
./usr.lib.dovecot.managesieve-login
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2013-12-30
22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-01
19:21:23.986535007 +0100
@@ -1,4 +1,15 @@
-# Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmand...@gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/managesieve-login {
diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3
--- profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:43:37.000000000
+0100
+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:00:13.820132421
+0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <k...@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/pop3 {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,13 +20,10 @@
capability setgid,
capability setuid,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
- @{HOME} r,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login
./usr.lib.dovecot.pop3-login
--- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2013-12-30
22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-01
19:26:54.614068901 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <k...@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/pop3-login {
#include <abstractions/base>
#include <abstractions/nameservice>
diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot
--- profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:43:37.000000000
+0100
+++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:01:14.209513153
+0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <k...@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/sbin/dovecot {
#include <abstractions/authentication>
#include <abstractions/base>
@@ -9,29 +21,42 @@
#include <abstractions/ssl_keys>
capability chown,
+ capability dac_override,
+ capability fsetid,
+ capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
- capability fsetid,
+
+
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/[0-9]*/mounts r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/anvil Px,
+ /usr/lib/dovecot/auth Px,
+ /usr/lib/dovecot/config Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/log Px,
+ /usr/lib/dovecot/managesieve Px,
+ /usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
- # temporarily commented out while testing
- #/usr/lib/dovecot/managesieve Px,
- /usr/lib/dovecot/managesieve-login Pxmr,
- /usr/lib/dovecot/ssl-build-param ixr,
- /usr/sbin/dovecot mr,
+ /usr/lib/dovecot/ssl-build-param rix,
+ /usr/lib/dovecot/ssl-params Px,
+ /usr/sbin/dovecot mrix,
/var/lib/dovecot/ w,
- /var/lib/dovecot/* krw,
+ /var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/* w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
++++++ apparmor-profiles-samba-create-dirs.diff ++++++
=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba 2013-11-20 00:11:01 +0000
+++ profiles/apparmor.d/abstractions/samba 2013-12-23 12:28:06 +0000
@@ -12,9 +12,11 @@
/etc/samba/* r,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+ /var/cache/samba/ w,
/var/lib/samba/**.tdb rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
/var/log/samba/log.* w,
+ /{,var/}run/samba/ w,
/{,var/}run/samba/*.tdb rw,
++++++ tunables-dovecot ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:ft=apparmor
# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
# where dovecot is allowed to store and read mails
#
# The default value is quite broad to avoid breaking existing setups.
# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory
# you use, and remove everything else.
@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/
/var/mail/ /var/spool/mail/
++++++ usr.lib.dovecot.anvil ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/anvil {
#include <abstractions/base>
capability setgid,
capability setuid,
capability sys_chroot,
/usr/lib/dovecot/anvil mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.anvil>
}
++++++ usr.lib.dovecot.auth ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/auth {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
deny capability block_suspend,
capability audit_write,
capability setgid,
capability setuid,
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-sql.conf.ext r,
/usr/lib/dovecot/auth mr,
# kerberos replay cache
/var/tmp/imap_* rw,
/var/tmp/pop_* rw,
/var/tmp/sieve_* rw,
/var/tmp/smtp_* rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.auth>
}
++++++ usr.lib.dovecot.config ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/config {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/ssl_keys>
deny capability block_suspend,
capability dac_override,
capability setgid,
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/config mr,
/usr/lib/dovecot/managesieve Px,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.config>
}
++++++ usr.lib.dovecot.dict ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/dict {
#include <abstractions/base>
#include <abstractions/mysql>
capability setgid,
capability setuid,
network inet stream,
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-dict-sql.conf.ext r,
/etc/nsswitch.conf r,
/etc/services r,
/usr/lib/dovecot/dict mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.dict>
}
++++++ usr.lib.dovecot.dovecot-lda ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
#include <tunables/dovecot>
/usr/lib/dovecot/dovecot-lda {
#include <abstractions/base>
#include <abstractions/nameservice>
capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
/etc/dovecot/** r,
/proc/*/mounts r,
/{var/,}run/dovecot/mounts r,
/usr/bin/doveconf mrix,
/usr/lib/dovecot/dovecot-lda mrix,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.dovecot-lda>
}
++++++ usr.lib.dovecot.lmtp ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
#include <tunables/dovecot>
/usr/lib/dovecot/lmtp {
#include <abstractions/base>
capability dac_override,
capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
/etc/resolv.conf r,
/usr/lib/dovecot/lmtp mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.lmtp>
}
++++++ usr.lib.dovecot.log ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/log {
#include <abstractions/base>
deny capability block_suspend,
capability setgid,
/usr/lib/dovecot/log mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.log>
}
++++++ usr.lib.dovecot.managesieve ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/managesieve {
#include <abstractions/base>
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/managesieve mrix,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.managesieve>
}
++++++ usr.lib.dovecot.ssl-params ++++++
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/ssl-params {
#include <abstractions/base>
deny capability block_suspend,
capability setgid,
/usr/lib/dovecot/ssl-params mr,
/var/lib/dovecot/ssl-parameters.dat rw,
/var/lib/dovecot/ssl-parameters.dat.tmp rwk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.ssl-params>
}
++++++ usr.sbin.winbindd ++++++
--- /var/tmp/diff_new_pack.QYzggX/_old 2014-01-05 11:31:08.000000000 +0100
+++ /var/tmp/diff_new_pack.QYzggX/_new 2014-01-05 11:31:08.000000000 +0100
@@ -3,9 +3,13 @@
/usr/sbin/winbindd {
#include <abstractions/base>
#include <abstractions/nameservice>
+ #include <abstractions/samba>
deny capability block_suspend,
+ capability ipc_lock,
+ capability setuid,
+
/etc/samba/dhcp.conf r,
/etc/samba/passdb.tdb rwk,
/etc/samba/secrets.tdb rwk,
@@ -20,10 +24,9 @@
/var/cache/samba/*.tdb rwk,
/var/cache/samba/netsamlogon_cache.tdb rw,
- /var/lib/samba/smb_krb5/krb5.conf.* w,
+ /var/lib/samba/smb_krb5/krb5.conf.* rw,
/var/lib/samba/smb_tmp_krb5.* rw,
/var/lib/samba/**.tdb rwk,
- /var/log/samba/log.winbindd-dc-connect a,
/var/lib/samba/winbindd_cache.tdb* rwk,
/var/lib/samba/winbindd_privileged/pipe w,
@@ -33,6 +36,7 @@
/var/log/samba/log.wb-* w,
/var/log/samba/log.winbindd rw,
/var/log/samba/log.winbindd-idmap w,
+ /var/log/samba/log.winbindd-dc-connect a,
/{var/,}run/samba/winbindd.pid rwk,
/{var/,}run/samba/winbindd/ rw,
/{var/,}run/samba/winbindd/pipe w,
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
