mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

profiles: allow for the default dovecot libexecdir

Browse source 
Allow for the default libexec subdir, /usr/libexec/dovecot, as well
as the more common /usr/lib/dovecot.

Signed-off-by: Peter Levine <plevine457@gmail.com>
This commit is contained in:
Peter Levine 2023-08-03 01:00:48 -04:00
parent 313366fbbc
commit 37ffc6eac8
22 changed files with 65 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
profiles/apparmor.d/usr.lib.dovecot.anvil
View file

@ -13,7 +13,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-anvil /usr/lib/dovecot/anvil {
profile dovecot-anvil /usr/lib*/dovecot/anvil {
include <abstractions/base>
include <abstractions/dovecot-common>
@ -24,7 +24,7 @@ profile dovecot-anvil /usr/lib/dovecot/anvil {
@{run}/dovecot/anvil rw,
@{run}/dovecot/anvil-auth-penalty rw,
/usr/lib/dovecot/anvil mr,
/usr/lib*/dovecot/anvil mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.anvil>

4
profiles/apparmor.d/usr.lib.dovecot.auth
View file

@ -14,7 +14,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-auth /usr/lib/dovecot/auth {
profile dovecot-auth /usr/lib*/dovecot/auth {
include <abstractions/authentication>
include <abstractions/base>
include <abstractions/mysql>
@ -34,7 +34,7 @@ profile dovecot-auth /usr/lib/dovecot/auth {
/etc/my.cnf.d/*.cnf r,
/etc/dovecot/* r,
/usr/lib/dovecot/auth mr,
/usr/lib*/dovecot/auth mr,
/var/lib/dovecot/auth-chroot/* r,
# kerberos replay cache

6
profiles/apparmor.d/usr.lib.dovecot.config
View file

@ -13,7 +13,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-config /usr/lib/dovecot/config {
profile dovecot-config /usr/lib*/dovecot/config {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/dovecot-common>
@ -24,8 +24,8 @@ profile dovecot-config /usr/lib/dovecot/config {
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/config mr,
/usr/lib/dovecot/managesieve Px,
/usr/lib*/dovecot/config mr,
/usr/lib*/dovecot/managesieve Px,
/usr/share/dovecot/** r,
/var/lib/dovecot/ssl-parameters.dat r,

4
profiles/apparmor.d/usr.lib.dovecot.deliver
View file

@ -16,7 +16,7 @@ abi <abi/4.0>,
include <tunables/global>
include <tunables/dovecot>
profile dovecot-deliver /usr/lib/dovecot/deliver {
profile dovecot-deliver /usr/lib*/dovecot/deliver {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/dovecot-common>
@ -32,7 +32,7 @@ profile dovecot-deliver /usr/lib/dovecot/deliver {
/etc/dovecot/dovecot-postfix.conf r, # ???
@{HOME} r, # ???
/usr/lib/dovecot/deliver mr,
/usr/lib*/dovecot/deliver mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.deliver>

4
profiles/apparmor.d/usr.lib.dovecot.dict
View file

@ -13,7 +13,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-dict /usr/lib/dovecot/dict {
profile dovecot-dict /usr/lib*/dovecot/dict {
include <abstractions/base>
include <abstractions/mysql>
include <abstractions/nameservice>
@ -27,7 +27,7 @@ profile dovecot-dict /usr/lib/dovecot/dict {
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-dict-sql.conf.ext r,
/etc/my.cnf r,
/usr/lib/dovecot/dict mr,
/usr/lib*/dovecot/dict mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.dict>

4
profiles/apparmor.d/usr.lib.dovecot.director
View file

@ -11,7 +11,7 @@
include <tunables/global>
profile dovecot-director /usr/lib/dovecot/director flags=(attach_disconnected) {
profile dovecot-director /usr/lib*/dovecot/director flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dovecot-common>
include <abstractions/nameservice>
@ -20,7 +20,7 @@ profile dovecot-director /usr/lib/dovecot/director flags=(attach_disconnected) {
capability sys_chroot,
/run/dovecot/login/proxy-notify rw,
/usr/lib/dovecot/director mr,
/usr/lib*/dovecot/director mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.director>

4
profiles/apparmor.d/usr.lib.dovecot.doveadm-server
View file

@ -11,11 +11,11 @@
include <tunables/global>
profile dovecot-doveadm-server /usr/lib/dovecot/doveadm-server flags=(attach_disconnected) {
profile dovecot-doveadm-server /usr/lib*/dovecot/doveadm-server flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dovecot-common>
/usr/lib/dovecot/doveadm-server mr,
/usr/lib*/dovecot/doveadm-server mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.doveadm-server>

4
profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
View file

@ -14,7 +14,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-dovecot-auth /usr/lib/dovecot/dovecot-auth {
profile dovecot-dovecot-auth /usr/lib*/dovecot/dovecot-auth {
include <abstractions/authentication>
include <abstractions/base>
include <abstractions/nameservice>
@ -25,7 +25,7 @@ profile dovecot-dovecot-auth /usr/lib/dovecot/dovecot-auth {
capability dac_override,
@{PROC}/@{pid}/mounts r,
/usr/lib/dovecot/dovecot-auth mr,
/usr/lib*/dovecot/dovecot-auth mr,
@{run}/dovecot/** rw,
# required for postfix+dovecot integration
/var/spool/postfix/private/dovecot-auth w,

4
profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
View file

@ -14,7 +14,7 @@ abi <abi/4.0>,
include <tunables/global>
include <tunables/dovecot>
profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
profile dovecot-dovecot-lda /usr/lib*/dovecot/dovecot-lda flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/dovecot-common>
@ -30,7 +30,7 @@ profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnec
@{run}/dovecot/mounts r,
@{run}/dovecot/auth-userdb rw,
/usr/bin/doveconf mrix,
/usr/lib/dovecot/dovecot-lda mrix,
/usr/lib*/dovecot/dovecot-lda mrix,
/usr/{bin,sbin}/sendmail Cx -> sendmail,
/usr/share/dovecot/protocols.d/ r,
/usr/share/dovecot/protocols.d/** r,

4
profiles/apparmor.d/usr.lib.dovecot.imap
View file

@ -15,7 +15,7 @@ abi <abi/4.0>,
include <tunables/global>
include <tunables/dovecot>
profile dovecot-imap /usr/lib/dovecot/imap {
profile dovecot-imap /usr/lib*/dovecot/imap {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/dovecot-common>
@ -37,7 +37,7 @@ profile dovecot-imap /usr/lib/dovecot/imap {
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
@{PROC}/@{pid}/stat r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/imap mrix,
/usr/lib*/dovecot/imap mrix,
/usr/share/dovecot/** r,
@{run}/dovecot/login/imap rw,
@{run}/dovecot/auth-master rw,

4
profiles/apparmor.d/usr.lib.dovecot.imap-login
View file

@ -14,7 +14,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-imap-login /usr/lib/dovecot/imap-login {
profile dovecot-imap-login /usr/lib*/dovecot/imap-login {
include <abstractions/base>
include <abstractions/dovecot-common>
include <abstractions/openssl>
@ -26,7 +26,7 @@ profile dovecot-imap-login /usr/lib/dovecot/imap-login {
network inet6 stream,
network unix stream,
/usr/lib/dovecot/imap-login mr,
/usr/lib*/dovecot/imap-login mr,
@{run}/dovecot/anvil rw,
@{run}/dovecot/login-master-notify* rw,
@{run}/dovecot/login/ r,

4
profiles/apparmor.d/usr.lib.dovecot.lmtp
View file

@ -14,7 +14,7 @@ abi <abi/4.0>,
include <tunables/global>
include <tunables/dovecot>
profile dovecot-lmtp /usr/lib/dovecot/lmtp {
profile dovecot-lmtp /usr/lib*/dovecot/lmtp {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/dovecot-common>
@ -35,7 +35,7 @@ profile dovecot-lmtp /usr/lib/dovecot/lmtp {
owner @{PROC}/@{pid}/stat r,
@{PROC}/*/mounts r,
/tmp/dovecot.lmtp.* rw,
/usr/lib/dovecot/lmtp mr,
/usr/lib*/dovecot/lmtp mr,
@{run}/dovecot/mounts r,
# Site-specific additions and overrides. See local/README for details.

4
profiles/apparmor.d/usr.lib.dovecot.log
View file

@ -13,11 +13,11 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-log /usr/lib/dovecot/log flags=(attach_disconnected) {
profile dovecot-log /usr/lib*/dovecot/log flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dovecot-common>
/usr/lib/dovecot/log mr,
/usr/lib*/dovecot/log mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.log>

4
profiles/apparmor.d/usr.lib.dovecot.managesieve
View file

@ -15,7 +15,7 @@ abi <abi/4.0>,
include <tunables/global>
include <tunables/dovecot>
profile dovecot-managesieve /usr/lib/dovecot/managesieve {
profile dovecot-managesieve /usr/lib*/dovecot/managesieve {
include <abstractions/base>
include <abstractions/dovecot-common>
@ -29,7 +29,7 @@ profile dovecot-managesieve /usr/lib/dovecot/managesieve {
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/managesieve mrix,
/usr/lib*/dovecot/managesieve mrix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.managesieve>

4
profiles/apparmor.d/usr.lib.dovecot.managesieve-login
View file

@ -16,7 +16,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-managesieve-login /usr/lib/dovecot/managesieve-login {
profile dovecot-managesieve-login /usr/lib*/dovecot/managesieve-login {
include <abstractions/base>
include <abstractions/dovecot-common>
include <abstractions/openssl>
@ -28,7 +28,7 @@ profile dovecot-managesieve-login /usr/lib/dovecot/managesieve-login {
network inet6 stream,
network unix stream,
/usr/lib/dovecot/managesieve-login mr,
/usr/lib*/dovecot/managesieve-login mr,
@{run}/dovecot/login-master-notify* rw,
@{run}/dovecot/login/ r,
@{run}/dovecot/login/* rw,

4
profiles/apparmor.d/usr.lib.dovecot.pop3
View file

@ -15,7 +15,7 @@ abi <abi/4.0>,
include <tunables/global>
include <tunables/dovecot>
profile dovecot-pop3 /usr/lib/dovecot/pop3 {
profile dovecot-pop3 /usr/lib*/dovecot/pop3 {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/dovecot-common>
@ -27,7 +27,7 @@ profile dovecot-pop3 /usr/lib/dovecot/pop3 {
@{HOME} r, # ???
@{PROC}/@{pid}/stat r,
/usr/lib/dovecot/pop3 mr,
/usr/lib*/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.pop3>

4
profiles/apparmor.d/usr.lib.dovecot.pop3-login
View file

@ -14,7 +14,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-pop3-login /usr/lib/dovecot/pop3-login {
profile dovecot-pop3-login /usr/lib*/dovecot/pop3-login {
include <abstractions/base>
include <abstractions/dovecot-common>
include <abstractions/openssl>
@ -26,7 +26,7 @@ profile dovecot-pop3-login /usr/lib/dovecot/pop3-login {
network inet6 stream,
network unix stream,
/usr/lib/dovecot/pop3-login mr,
/usr/lib*/dovecot/pop3-login mr,
@{run}/dovecot/anvil rw,
@{run}/dovecot/login-master-notify* rw,
@{run}/dovecot/login/ r,

4
profiles/apparmor.d/usr.lib.dovecot.replicator
View file

@ -15,7 +15,7 @@
include <tunables/dovecot>
include <tunables/global>
profile dovecot-replicator /usr/lib/dovecot/replicator {
profile dovecot-replicator /usr/lib*/dovecot/replicator {
include <abstractions/base>
include <abstractions/dovecot-common>
include <abstractions/nameservice>
@ -25,7 +25,7 @@ profile dovecot-replicator /usr/lib/dovecot/replicator {
/etc/dovecot/conf.d/ r,
/etc/dovecot/conf.d/** r,
/etc/dovecot/dovecot.conf r,
/usr/lib/dovecot/replicator mr,
/usr/lib*/dovecot/replicator mr,
/usr/share/dovecot/** r,
/{,var/}run/dovecot/auth-master rw,
@{DOVECOT_MAILSTORE}/ rw,

4
profiles/apparmor.d/usr.lib.dovecot.script-login
View file

@ -14,14 +14,14 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-script-login /usr/lib/dovecot/script-login {
profile dovecot-script-login /usr/lib*/dovecot/script-login {
include <abstractions/base>
include <abstractions/dovecot-common>
include <abstractions/nameservice>
capability setuid,
/usr/lib/dovecot/script-login mrPx,
/usr/lib*/dovecot/script-login mrPx,
# NOTE: You'll need to allow execution of your actual login script.
# The recommended way is to add a rule for it in local/usr.lib.dovecot.script-login

4
profiles/apparmor.d/usr.lib.dovecot.ssl-params
View file

@ -13,13 +13,13 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-ssl-params /usr/lib/dovecot/ssl-params {
profile dovecot-ssl-params /usr/lib*/dovecot/ssl-params {
include <abstractions/base>
include <abstractions/dovecot-common>
@{run}/dovecot/ssl-params rw,
@{run}/dovecot/login/ssl-params rw,
/usr/lib/dovecot/ssl-params mr,
/usr/lib*/dovecot/ssl-params mr,
/var/lib/dovecot/ssl-parameters.dat rw,
/var/lib/dovecot/ssl-parameters.dat.tmp rwk,

4
profiles/apparmor.d/usr.lib.dovecot.stats
View file

@ -13,7 +13,7 @@ abi <abi/4.0>,
include <tunables/global>
profile dovecot-stats /usr/lib/dovecot/stats {
profile dovecot-stats /usr/lib*/dovecot/stats {
include <abstractions/base>
include <abstractions/dovecot-common>
@ -24,7 +24,7 @@ profile dovecot-stats /usr/lib/dovecot/stats {
network inet stream,
network inet6 stream,
/usr/lib/dovecot/stats mr,
/usr/lib*/dovecot/stats mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.stats>

44
profiles/apparmor.d/usr.sbin.dovecot
View file

@ -33,10 +33,10 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
capability sys_chroot,
capability sys_resource,
signal send peer=/usr/lib/dovecot/*,
signal send peer=/usr/lib*/dovecot/*,
signal send peer=dovecot-*,
unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
unix (receive, send) type=stream peer=(label=/usr/lib*/dovecot/anvil),
unix (receive, send) type=stream peer=(label=dovecot-anvil),
/etc/dovecot/** r,
@ -46,26 +46,26 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/fs/suid_dumpable r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil mrPx,
/usr/lib/dovecot/auth mrPx,
/usr/lib/dovecot/config mrPx,
/usr/lib/dovecot/dict mrPx,
/usr/lib/dovecot/director mrPx,
/usr/lib/dovecot/doveadm-server mrPx,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp mrPx,
/usr/lib/dovecot/log mrPx,
/usr/lib/dovecot/managesieve mrPx,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 mrPx,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/replicator mrPx,
/usr/lib/dovecot/script-login Px,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params mrPx,
/usr/lib/dovecot/stats Px,
/usr/lib*/dovecot/anvil mrPx,
/usr/lib*/dovecot/auth mrPx,
/usr/lib*/dovecot/config mrPx,
/usr/lib*/dovecot/dict mrPx,
/usr/lib*/dovecot/director mrPx,
/usr/lib*/dovecot/doveadm-server mrPx,
/usr/lib*/dovecot/dovecot-auth Pxmr,
/usr/lib*/dovecot/imap Pxmr,
/usr/lib*/dovecot/imap-login Pxmr,
/usr/lib*/dovecot/lmtp mrPx,
/usr/lib*/dovecot/log mrPx,
/usr/lib*/dovecot/managesieve mrPx,
/usr/lib*/dovecot/managesieve-login Pxmr,
/usr/lib*/dovecot/pop3 mrPx,
/usr/lib*/dovecot/pop3-login Pxmr,
/usr/lib*/dovecot/replicator mrPx,
/usr/lib*/dovecot/script-login Px,
/usr/lib*/dovecot/ssl-build-param rix,
/usr/lib*/dovecot/ssl-params mrPx,
/usr/lib*/dovecot/stats Px,
/usr/{bin,sbin}/dovecot mrix,
/usr/share/dovecot/dh.pem r,
/usr/share/dovecot/protocols.d/ r,