With abstractions/openssl now being included from abstraction/base
(via the indirection of abstractions/crypto) anything already
including abstraction/base can stop including abstractions/openssl
directly.
Allow for the default libexec subdir, /usr/libexec/dovecot, as well
as the more common /usr/lib/dovecot.
Signed-off-by: Peter Levine <plevine457@gmail.com>
Begin preparing policy for the 4.0 release. This may result in new
denials. This is expected and needed to make sure policy is ready
for the 4.0 release.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Tag profiles and abstractions with abi information.
Tagging abstractions is not strictly necessary but allows the parser
to detect when their is a mismatch and that policy will need an
update for abi.
We do not currently tag the tunables because variable declarations
are not currently affected by abi.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
When using passdb/userdb not requiring root (!= /etc/shadow access)
it is recommended to run the auth processes as non root and chroot'ed
Signed-off-by: Simon Deziel <simon@sdeziel.info>
Add several permissions to the dovecot profiles that are needed on ubuntu
(surprisingly not on openSUSE, maybe it depends on the dovecot config?)
As discussed some weeks ago, the added permissions use only /run/
instead of /{var/,}run/ (which is hopefully superfluous nowadays).
References: https://bugs.launchpad.net/apparmor/+bug/1512131
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
The dovecot/auth profile needs access to /run/dovecot/anvil-auth-penalty
and /var/spool/postfix/private/auth.
The dovecot/log profile needs the attach_disconnected flag.
Refences: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
- dovecot/auth: allow to read stats-user
- dovecot/config: allow to read /usr/share/dovecot/**
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
/usr/share/dovecot/**
These things were reported by Félix Sipma in Debian Bug#835826
(with some help from sarnold on IRC)
References: https://bugs.debian.org/835826
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Also allow reading ~/.dovecot.svbin (that's the default filename in the
dovecot config) in dovecot/lmtp profile.
(*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but
that's already covered by the existing rules.)
References: https://bugs.debian.org/835826 (again)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
Since the latest openSUSE Tumbleweed update (dovecot 2.2.21 -> 2.2.22),
dovecot/auth writes to /var/run/dovecot/stats-user.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Darix' guess is that this is needed by libpq because he uses a postgresql
database with dovecot and has ssl enabled in postgresql.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.9
- usr.lib.dovecot.auth needs /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
- usr.lib.dovecot.imap requests block_suspend, which I propose to deny as usual
Acked-by: Seth Arnold <seth.arnold@canonical.com>
user/password files (everybody will use a different filename for the
user/password list - and when you allow reading the password list,
allowing to read the config doesn't add any harm ;-)
References: https://bugzilla.novell.com/show_bug.cgi?id=874094
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Some updates for the dovecot profiles, based on a patch from
Christian Wittmer <chris@computersalat.de> (he sent it as SR for the
openSUSE package, which uses a slightly older version of the dovecot
profiles)
Fix problems with dovecot and managesieve:
* usr.lib.dovecot.managesieve-login: network inet6 stream
* usr.lib.dovecot.managesieve:
+#include <tunables/dovecot>
/usr/lib/dovecot/managesieve {
+ capability setgid, # covered by abstractions/dovecot-common, therefore not part of this patch
+ capability setuid,
+ network inet stream,
+ network inet6 stream,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
* add #include <abstractions/wutmp> to usr.lib.dovecot.auth
apparmor="DENIED" operation="open" parent=18310 \
profile="/usr/lib/dovecot/auth" name="/var/run/utmp" pid=20939 \
comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://launchpad.net/bugs/1322778
This commit adds a dovecot-common abstraction, as well as adjusting
the profiles for dovecot's helper binaries to make use of it. The
important addition is the ability for the dovecot master process to
send signals to the helpers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
abstractions/mysql.
This binary/profile seems to be the only one that needs to do this, so
add it to this profile (instead of abstractions/mysql) to avoid superfluous
permissions for other programs with abstractions/mysql
Acked-by: John Johansen <john.johansen@canonical.com>
dovecot 2.x comes with several new binaries in /usr/lib/dovecot.
This patch adds profiles for
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/ssl-params
References: https://bugzilla.novell.com/show_bug.cgi?id=851984
Acked-by: John Johansen <john.johansen@canonical.com>
