From 0f6be43d8ec531df1cf113cc4d0a6fa1ea786d9e Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Mon, 7 Jul 2014 23:35:18 +0200
Subject: [PATCH] dovecot profile update

Some updates for the dovecot profiles, based on a patch from
Christian Wittmer <chris@computersalat.de> (he sent it as SR for the
openSUSE package, which uses a slightly older version of the dovecot
profiles)

Fix problems with dovecot and managesieve:
* usr.lib.dovecot.managesieve-login: network inet6 stream
* usr.lib.dovecot.managesieve:
  +#include <tunables/dovecot>
    /usr/lib/dovecot/managesieve {
  +  capability setgid,   # covered by abstractions/dovecot-common, therefore not part of this patch
  +  capability setuid,
  +  network inet stream,
  +  network inet6 stream,
  +  @{DOVECOT_MAILSTORE}/ rw,
  +  @{DOVECOT_MAILSTORE}/** rwkl,
* add #include <abstractions/wutmp> to usr.lib.dovecot.auth
   apparmor="DENIED" operation="open" parent=18310 \
   profile="/usr/lib/dovecot/auth" name="/var/run/utmp" pid=20939 \
   comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


Acked-by: Steve Beattie <steve@nxnw.org>

Bug: https://launchpad.net/bugs/1322778
---
 profiles/apparmor.d/usr.lib.dovecot.auth              |  2 ++
 profiles/apparmor.d/usr.lib.dovecot.managesieve       | 10 ++++++++++
 profiles/apparmor.d/usr.lib.dovecot.managesieve-login |  2 ++
 3 files changed, 14 insertions(+)

diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
index 6db41c65f..b47bc76ad 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -16,6 +17,7 @@
   #include <abstractions/base>
   #include <abstractions/mysql>
   #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
   #include <abstractions/dovecot-common>
 
   capability audit_write,
diff --git a/profiles/apparmor.d/usr.lib.dovecot.managesieve b/profiles/apparmor.d/usr.lib.dovecot.managesieve
index 1010f3805..8ce9faed1 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.managesieve
+++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -10,11 +11,20 @@
 # vim: ft=apparmor
 
 #include <tunables/global>
+#include <tunables/dovecot>
 
 /usr/lib/dovecot/managesieve {
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
 
+  capability setuid,
+
+  network inet stream,
+  network inet6 stream,
+
+  @{DOVECOT_MAILSTORE}/ rw,
+  @{DOVECOT_MAILSTORE}/** rwkl,
+
   /etc/dovecot/** r,
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/managesieve mrix,
diff --git a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login
index 4340b489d..a87ded6f6 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login
@@ -3,6 +3,7 @@
 #    Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 #    Copyright (C) 2009-2011 Canonical Ltd.
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -23,6 +24,7 @@
   capability sys_chroot,
 
   network inet stream,
+  network inet6 stream,
 
   /usr/lib/dovecot/managesieve-login mr,
   /{,var/}run/dovecot/login/ r,