mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'dovecot-fixes-no-doveadm' into 'master'

Browse source 
misc dovecot fixes (take #2)

See merge request apparmor/apparmor!336

Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10

(cherry picked from commit e68beb988a)

a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil
d0aa863f dovecot: allow chroot'ing the auth processes
9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket
17db8f38 dovecot: auth processes need to read from postfix auth socket
6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
This commit is contained in:
Christian Boltz 2019-02-17 21:04:27 +00:00
parent c513fc5a92
commit 628b32b79b
4 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
profiles/apparmor.d/usr.lib.dovecot.anvil
View file

@ -18,7 +18,10 @@
capability setuid, capability setuid,
capability sys_chroot, capability sys_chroot,
unix (receive, send) type=stream peer=(label=dovecot),
/run/dovecot/anvil rw, /run/dovecot/anvil rw,
/run/dovecot/anvil-auth-penalty rw,
/usr/lib/dovecot/anvil mr, /usr/lib/dovecot/anvil mr,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.

5
profiles/apparmor.d/usr.lib.dovecot.auth
View file

@ -25,6 +25,7 @@
capability dac_override, capability dac_override,
capability dac_read_search, capability dac_read_search,
capability setuid, capability setuid,
capability sys_chroot,
/etc/my.cnf r, /etc/my.cnf r,
/etc/my.cnf.d/ r, /etc/my.cnf.d/ r,
@ -32,6 +33,7 @@
/etc/dovecot/* r, /etc/dovecot/* r,
/usr/lib/dovecot/auth mr, /usr/lib/dovecot/auth mr,
/var/lib/dovecot/auth-chroot/* r,
# kerberos replay cache # kerberos replay cache
/var/tmp/imap_* rw, /var/tmp/imap_* rw,
@ -40,6 +42,7 @@
/var/tmp/smtp_* rw, /var/tmp/smtp_* rw,
/run/dovecot/auth-master rw, /run/dovecot/auth-master rw,
/run/dovecot/auth-userdb rw,
/run/dovecot/auth-worker rw, /run/dovecot/auth-worker rw,
/run/dovecot/login/login rw, /run/dovecot/login/login rw,
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw, /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
@ -47,7 +50,7 @@
/{var/,}run/dovecot/stats-user rw, /{var/,}run/dovecot/stats-user rw,
/{var/,}run/dovecot/anvil-auth-penalty rw, /{var/,}run/dovecot/anvil-auth-penalty rw,
/var/spool/postfix/private/auth w, /var/spool/postfix/private/auth rw,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.auth> #include <local/usr.lib.dovecot.auth>

1
profiles/apparmor.d/usr.lib.dovecot.lmtp
View file

@ -17,6 +17,7 @@
#include <abstractions/nameservice> #include <abstractions/nameservice>
#include <abstractions/dovecot-common> #include <abstractions/dovecot-common>
#include <abstractions/openssl> #include <abstractions/openssl>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys> #include <abstractions/ssl_keys>
capability dac_override, capability dac_override,

2
profiles/apparmor.d/usr.sbin.dovecot
View file

@ -33,6 +33,8 @@
signal send set=(int,quit) peer=/usr/lib/dovecot/*, signal send set=(int,quit) peer=/usr/lib/dovecot/*,
unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
/etc/dovecot/** r, /etc/dovecot/** r,
/etc/mtab r, /etc/mtab r,
/etc/lsb-release r, /etc/lsb-release r,