Merge branch 'dovecot-fixes-no-doveadm' into 'master'

misc dovecot fixes (take #2) See merge request apparmor/apparmor!336 Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10 (cherry picked from commit e68beb988a) a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil d0aa863f dovecot: allow chroot'ing the auth processes 9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket 17db8f38 dovecot: auth processes need to read from postfix auth socket 6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
2025-03-04 08:24:42 +01:00 · 2019-02-17 21:04:27 +00:00 · 2019-02-17 21:04:27 +00:00 · 628b32b79b
commit 628b32b79b
parent c513fc5a92
4 changed files with 10 additions and 1 deletions
--- a/profiles/apparmor.d/usr.lib.dovecot.anvil
+++ b/profiles/apparmor.d/usr.lib.dovecot.anvil
@ -18,7 +18,10 @@
  capability setuid,
  capability sys_chroot,

+  unix (receive, send) type=stream peer=(label=dovecot),
+
  /run/dovecot/anvil rw,
+  /run/dovecot/anvil-auth-penalty rw,
  /usr/lib/dovecot/anvil mr,

  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@ -25,6 +25,7 @@
  capability dac_override,
  capability dac_read_search,
  capability setuid,
+  capability sys_chroot,

  /etc/my.cnf r,
  /etc/my.cnf.d/ r,
@ -32,6 +33,7 @@

  /etc/dovecot/* r,
  /usr/lib/dovecot/auth mr,
+  /var/lib/dovecot/auth-chroot/* r,

  # kerberos replay cache
  /var/tmp/imap_* rw,
@ -40,6 +42,7 @@
  /var/tmp/smtp_* rw,

  /run/dovecot/auth-master rw,
+  /run/dovecot/auth-userdb rw,
  /run/dovecot/auth-worker rw,
  /run/dovecot/login/login rw,
  /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
@ -47,7 +50,7 @@
  /{var/,}run/dovecot/stats-user rw,
  /{var/,}run/dovecot/anvil-auth-penalty rw,

-  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/auth rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.lib.dovecot.auth>
--- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@ -17,6 +17,7 @@
  #include <abstractions/nameservice>
  #include <abstractions/dovecot-common>
  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
  #include <abstractions/ssl_keys>

  capability dac_override,
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@ -33,6 +33,8 @@

  signal send set=(int,quit) peer=/usr/lib/dovecot/*,

+  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
+
  /etc/dovecot/** r,
  /etc/mtab r,
  /etc/lsb-release r,