# apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}sbin/exim4 profile exim4 @{exec_path} { include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, @{exec_path} mrix, # To bind to port 25/tcp capability net_bind_service, # To remove the following error: # exim4[]: exim: setgroups() failed: Operation not permitted capability setgid, # To remove the following error: # exim4[]: unable to set gid=110 or uid=105 (euid=0): calling tls_validate_require_cipher capability setuid, # To remove the following error: # exim4[]: Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=0 egid=110 capability dac_read_search, capability dac_override, # To remove the following error: # exim.c:774: chown(/var/spool/exim4//msglog//1kqH5Z-000RUf-UR, 105:110) failed (Operation not # permitted). Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391 capability chown, # To remove the following error: # Couldn't chmod message log /var/spool/exim4//msglog//1kqH6c-000S7r-Ni: Operation not permitted capability fowner, # Needed? audit deny capability net_admin, /var/lib/exim4/config.autogenerated{,.tmp} r, /etc/email-addresses r, /etc/aliases r, deny /var/log/exim4/ w, /var/log/exim4/mainlog w, /var/log/exim4/paniclog w, owner /var/spool/exim4/ r, /var/spool/exim4/input/ r, /var/spool/exim4/input/*-*-*-* rwk, owner /var/spool/exim4/input/hdr.*-*-* rw, owner /var/spool/exim4/input/hdr.@{pid} rw, /var/spool/exim4/db/retry.lockfile rwk, /var/spool/exim4/msglog/*-*-* w, owner /var/mail/* rwk, owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w, owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*, owner @{run}/exim4/exim.pid rw, owner @{run}/dbus/system_bus_socket rw, # file_inherit /tmp/#[0-9]*[0-9] rw, /var/lib/dpkg/status r, /var/log/cron-apt/lastfullmessage r, include if exists }