Since the latest openSUSE Tumbleweed update (dovecot 2.2.21 -> 2.2.22),
dovecot/auth writes to /var/run/dovecot/stats-user.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Darix' guess is that this is needed by libpq because he uses a postgresql
database with dovecot and has ssl enabled in postgresql.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.9
- usr.lib.dovecot.auth needs /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
- usr.lib.dovecot.imap requests block_suspend, which I propose to deny as usual
Acked-by: Seth Arnold <seth.arnold@canonical.com>
user/password files (everybody will use a different filename for the
user/password list - and when you allow reading the password list,
allowing to read the config doesn't add any harm ;-)
References: https://bugzilla.novell.com/show_bug.cgi?id=874094
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Some updates for the dovecot profiles, based on a patch from
Christian Wittmer <chris@computersalat.de> (he sent it as SR for the
openSUSE package, which uses a slightly older version of the dovecot
profiles)
Fix problems with dovecot and managesieve:
* usr.lib.dovecot.managesieve-login: network inet6 stream
* usr.lib.dovecot.managesieve:
+#include <tunables/dovecot>
/usr/lib/dovecot/managesieve {
+ capability setgid, # covered by abstractions/dovecot-common, therefore not part of this patch
+ capability setuid,
+ network inet stream,
+ network inet6 stream,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
* add #include <abstractions/wutmp> to usr.lib.dovecot.auth
apparmor="DENIED" operation="open" parent=18310 \
profile="/usr/lib/dovecot/auth" name="/var/run/utmp" pid=20939 \
comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://launchpad.net/bugs/1322778
This commit adds a dovecot-common abstraction, as well as adjusting
the profiles for dovecot's helper binaries to make use of it. The
important addition is the ability for the dovecot master process to
send signals to the helpers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
abstractions/mysql.
This binary/profile seems to be the only one that needs to do this, so
add it to this profile (instead of abstractions/mysql) to avoid superfluous
permissions for other programs with abstractions/mysql
Acked-by: John Johansen <john.johansen@canonical.com>
dovecot 2.x comes with several new binaries in /usr/lib/dovecot.
This patch adds profiles for
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/ssl-params
References: https://bugzilla.novell.com/show_bug.cgi?id=851984
Acked-by: John Johansen <john.johansen@canonical.com>
