From 2eee4d6acb2e4eeedf6af20c54b343746203e8b7 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Mon, 30 Jan 2017 20:43:47 +0100 Subject: [PATCH] Dovecot profile: change Px to mrPx for /usr/lib/dovecot/* Some of the /usr/lib/dovecot/* rules already have mrPx permissions, while others don't. With a more recent kernel, I noticed that at least auth, config, dict, lmtp, pop3 and ssl-params need mrPx instead of just Px (confirmed by the audit.log and actual breakage caused by the missing mr permissions). The mr additions for anvil, log and managesieve are just a wild guess, but I would be very surprised if they don't need mr. Acked-by: Seth Arnold for trunk, 2.10 and 2.9. --- profiles/apparmor.d/usr.sbin.dovecot | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot index 86797c6a3..4eee5ca44 100644 --- a/profiles/apparmor.d/usr.sbin.dovecot +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -36,21 +36,21 @@ /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, /usr/bin/doveconf rix, - /usr/lib/dovecot/anvil Px, - /usr/lib/dovecot/auth Px, - /usr/lib/dovecot/config Px, - /usr/lib/dovecot/dict Px, + /usr/lib/dovecot/anvil mrPx, + /usr/lib/dovecot/auth mrPx, + /usr/lib/dovecot/config mrPx, + /usr/lib/dovecot/dict mrPx, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, - /usr/lib/dovecot/lmtp Px, - /usr/lib/dovecot/log Px, - /usr/lib/dovecot/managesieve Px, + /usr/lib/dovecot/lmtp mrPx, + /usr/lib/dovecot/log mrPx, + /usr/lib/dovecot/managesieve mrPx, /usr/lib/dovecot/managesieve-login Pxmr, - /usr/lib/dovecot/pop3 Px, + /usr/lib/dovecot/pop3 mrPx, /usr/lib/dovecot/pop3-login Pxmr, /usr/lib/dovecot/ssl-build-param rix, - /usr/lib/dovecot/ssl-params Px, + /usr/lib/dovecot/ssl-params mrPx, /usr/sbin/dovecot mrix, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r,