[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: Re: [apparmor] [patch] update and cleanup usr.sbin.dovecot profile
From: John Johansen <john.johansen () canonical ! com>
Date: 2014-12-22 13:31:42
Message-ID: 54981D3E.4040908 () canonical ! com
[Download RAW message or body]
On 12/03/2014 01:44 PM, Christian Boltz wrote:
> Hello,
>
> this patch adds #include <abstractions/dovecot-common> to the
> usr.sbin.dovecot profile. Effectively this adds "deny capability
> block_suspend," which is the only missing part from
> https://bugs.launchpad.net/apparmor/+bug/1296667/
>
> It also removes "capability setgid," (covered by
> abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of
> abstractions/base).
>
sorry I missed this one
Acked-by: John Johansen <john.johansen@canonical.com>
>
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot 2014-09-03 19:45:56 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot 2014-12-03 21:39:41 +0000
> @@ -15,6 +15,7 @@
> /usr/sbin/dovecot {
> #include <abstractions/authentication>
> #include <abstractions/base>
> + #include <abstractions/dovecot-common>
> #include <abstractions/mysql>
> #include <abstractions/nameservice>
> #include <abstractions/ssl_certs>
> @@ -25,7 +26,6 @@
> capability fsetid,
> capability kill,
> capability net_bind_service,
> - capability setgid,
> capability setuid,
> capability sys_chroot,
>
> @@ -34,7 +34,6 @@
> /etc/lsb-release r,
> /etc/SuSE-release r,
> @{PROC}/@{pid}/mounts r,
> - @{PROC}/filesystems r,
> /usr/bin/doveconf rix,
> /usr/lib/dovecot/anvil Px,
> /usr/lib/dovecot/auth Px,
>
>
>
> Regards,
>
> Christian Boltz
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic