http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c10
--- Comment #10 from Michael Hirmke
Thanks for the updated profiles!
Let me summarize your changes:
usr.sbin.dovecot: + /usr/lib/dovecot/script-login Px,
Makes sense.
Ok.
usr.lib.dovecot.managesieve: - network inet6 stream, - network inet stream, + #include
abstractions/nameservice allows a lot, do you remember why it was proposed? (If you still have the audit.log, grep for "managesieve" and attach the result.)
See attachement.
usr.lib.dovecot.script-login: That's the profile you created, unfortunately in a way that won't be accepted upstream. The problem is /home/vmware/forest-hirmke.de/msex/vmail/bin/postlogin.sh mrix, which means several things your postlogin.sh script does went into the script-login profile.
Can you please re-create the script-login profile from scratch, but with a separate profile (Px) for postlogin.sh? That should also move most permissions out of the script-login profile.
Can do that, but the path is a somewhat temporary path. It is included, because I'm in transition from MS Exchange to Dovecot and wanted to use the remaining space on that RAID for Dovecot, too. In the future, the disk will get mounted to /home/vmail directly, so that only this path will occur in the profiles.
Or provide your audit.log and let me do it ;-)
See second attachement.
usr.bin.cut usr.bin.echo usr.bin.pwd
I'd recommend not to have standalone profiles for these helpers - better create a child profile (Cx) or use inherit (ix). At least for "cut", having a standalone profile might cause trouble when another script uses cut with a filename as parameter - your profile doesn't allow to read any files.
I'm really new to appamor - never had to do anything with it. So I had no clue, what aa-logprof really created - and why 8-< Because it is a home environment with only two users, I even deactivated apparmor in the past. Thx! -- You are receiving this mail because: You are on the CC list for the bug.