On 05/31/2016 05:16 PM, Christian Boltz wrote:
Did you also need any changes in the profiles that are enabled by
default? If so, please tell me - in many (not all) cases I consider this
to be a bug in the profile;-)
Hi Christian,
It's great to see activity here! I'm new to Apparmor, I had to create some
specific profiles for a customer last month, and I really like it.
But the included profiles for dovecot didn't work. I was pressed for time so
I quickly hacked two of the profiles to get the server working. I'm sure I didn't
do it right, and may have messed up the security posture, but at least the mail
is flowing!
In this case all user's home directories are in /export/home1. Here are the updated
profiles generated with the help of aa-logprof. This is on a 13.2 x86-64 system.
What's the right way to do dovecot with user's home directories in /export/home1?
An environment variable somewhere?
usr.lib.dovecot.imap
# Last Modified: Tue May 3 13:55:56 2016
#include
#include
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2010 Canonical Ltd.
# Copyright (C) 2011-2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
/usr/lib/dovecot/imap {
#include
#include
#include
#include
deny capability block_suspend,
capability setuid,
/export/home1/** rwlk,
/usr/lib/dovecot/imap mr,
/{,var/}run/dovecot/auth-master rw,
/{,var/}run/dovecot/mounts r,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwlk,
@{HOME} r,
}
And:
usr.lib.dovecot.dovecot-lda
# ------------------------------------------------------------------
#
# Copyright (C) 2013-2016 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include
#include
/usr/lib/dovecot/dovecot-lda {
#include
#include
#include
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
/etc/dovecot/** r,
/proc/*/mounts r,
owner /tmp/dovecot.lda.* rw,
/{var/,}run/dovecot/mounts r,
/usr/bin/doveconf mrix,
/usr/lib/dovecot/dovecot-lda mrix,
/usr/sbin/sendmail Cx,
# Site-specific additions and overrides. See local/README for details.
#include
profile /usr/sbin/sendmail flags=(attach_disconnected) {
# this profile is based on the usr.sbin.sendmail profile in extras
# and should support both postfix' and sendmail's sendmail binary
#include
#include
#include
#include
#include
capability sys_ptrace,
/etc/aliases rw, # newaliases is a symlink to sendmail, so it's
/etc/aliases.db rw, # actually the same binary
/etc/fstab r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mail/* r,
/etc/mail/statistics rw,
/etc/mtab r,
/etc/postfix/aliases r,
/etc/postfix/aliases.db rw, # newaliases again
/etc/sendmail.cf r,
/etc/sendmail.cw r,
/etc/shells r,
/proc/loadavg r,
/proc/net/if_inet6 r,
/root/.forward r,
/root/dead.letter w,
/usr/bin/procmail Px,
/usr/lib/postfix/master Px,
/usr/lib/postfix/showq Px,
/usr/lib/postfix/smtpd Px,
/usr/sbin/postalias Px,
/usr/sbin/postdrop Px,
/usr/sbin/postfix Px,
/usr/sbin/postqueue Px,
/usr/sbin/sendmail mrix,
/usr/sbin/sendmail.postfix mrix,
/usr/sbin/sendmail.sendmail mrix,
/{var/,}run/sendmail.pid rwl,
/{var/,}run/sm-client.pid rwl,
/{var/,}run/utmp rw,
/var/spool/clientmqueue/* rwl,
/export/home1/mail/* rwl,
/var/spool/mqueue/* rwl,
/var/spool/postfix/maildrop/* rwl,
/var/spool/postfix/public/pickup w,
/var/spool/postfix/public/qmgr w,
/var/spool/postfix/public/showq w,
}
}
Regards,
Lew
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-security+owner@opensuse.org