[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: [apparmor] [patch] dovecot profiles - use abstractions/nameservice
From: Christian Boltz <apparmor () cboltz ! de>
Date: 2014-01-26 23:07:05
Message-ID: 1545124.LbeEXnKThL () tux ! boltz ! de ! vu
[Download RAW message or body]
Hello,
after testing the dovecot profiles on a new server, I noticed
/usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more nameservice-
related permissions.
Therefore I propose to include abstractions/nameservice instead of
adding more and more files.
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.dict'
--- profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-26 21:46:51
+++ profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-26 22:36:59
@@ -14,6 +14,7 @@
/usr/lib/dovecot/dict {
#include <abstractions/base>
#include <abstractions/mysql>
+ #include <abstractions/nameservice>
capability setgid,
capability setuid,
@@ -22,8 +23,6 @@
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-dict-sql.conf.ext r,
- /etc/nsswitch.conf r,
- /etc/services r,
/usr/lib/dovecot/dict mr,
# Site-specific additions and overrides. See local/README for details.
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
--- profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-26 21:46:51
+++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-26 22:37:10
@@ -14,6 +14,7 @@
/usr/lib/dovecot/lmtp {
#include <abstractions/base>
+ #include <abstractions/nameservice>
deny capability block_suspend,
\
@@ -24,7 +25,6 @@
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
- /etc/resolv.conf r,
/proc/*/mounts r,
/tmp/dovecot.lmtp.* rw,
/usr/lib/dovecot/lmtp mr,
Regards,
Christian Boltz
--
Nee, nee, nee, so einfach geht das nicht. Nee, nee, nee. ;) EOT darf man
schon mal ausrufen, aber nicht, wenn die Diskussion gerade an Fahrt
gewinnt! Da denken doch nur alle, dass es sich um eine EOT-Weichwurst am
anderen Ende handeln muss. ;)) [Lars Müller in opensuse-de]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic