mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00
Code Issues Releases Wiki Activity

Merge branch 'cboltz-postfix-profiles' into 'master'

Browse Source 
update postfix profiles

On openSUSE Leap 15.1, the postfix binaries live in /usr/lib/postfix/bin/ which was not covered in the postfix.\* attachment and mrix rules.

Also add several permissions to the postfix.\* profiles needed on openSUSE Leap 15.1.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/380
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2019-06-14 04:31:14 +00:00
parent f10e72a14f 7016ac954b
commit 48e9f0ee2e
28 changed files with 103 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
profiles/apparmor/profiles/extras/postfix.anvil
View File

@@ -11,12 +11,12 @@
#include <tunables/global>
profile postfix-anvil /usr/lib/postfix/{sbin/,}anvil {
profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}anvil rmix,
/usr/lib/postfix/{bin/,sbin/,}anvil mrix,
/etc/postfix/main.cf r,
/{var/spool/postfix/,}private/anvil rw,

13
profiles/apparmor/profiles/extras/postfix.bounce
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2019 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -11,21 +12,24 @@
#include <tunables/global>
profile postfix-bounce /usr/lib/postfix/{sbin/,}bounce {
profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}bounce rmix,
/usr/lib/postfix/{bin/,sbin/,}bounce mrix,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwkl,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}active/[0-9A-F]/* rwk,
/{var/spool/postfix/,}active/[0-9A-F]/ rwl,
/{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}bounce/[0-9A-F]/* rwk,
/{var/spool/postfix/,}bounce/[0-9A-F]/ rwl,
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwkl,
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}defer/[0-9A-F]/* rwkl,
/{var/spool/postfix/,}defer/[0-9A-F]/ rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl,
@@ -33,6 +37,7 @@ profile postfix-bounce /usr/lib/postfix/{sbin/,}bounce {
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}trace/[0-9A-F]/ rwl,
/{var/spool/postfix/,}trace/[0-9A-F]* rwk,
/{var/spool/postfix/,}public/cleanup w,
/{var/spool/postfix/,}pid/unix.bounce rwk,

6
profiles/apparmor/profiles/extras/postfix.cleanup
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2019 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -11,14 +12,15 @@
#include <tunables/global>
profile postfix-cleanup /usr/lib/postfix/{sbin/,}cleanup {
profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
capability net_bind_service,
capability dac_read_search,
/usr/lib/postfix/{sbin/,}cleanup rmix,
/usr/lib/postfix/{bin/,sbin/,}cleanup mrix,
/{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,

4
profiles/apparmor/profiles/extras/postfix.discard
View File

@@ -12,8 +12,8 @@
#include <tunables/global>
profile postfix-discard /usr/lib/postfix/{sbin/,}discard {
profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard {
#include <abstractions/base>
/usr/lib/postfix/{sbin/,}discard rmix,
/usr/lib/postfix/{bin/,sbin/,}discard mrix,
}

4
profiles/apparmor/profiles/extras/postfix.dnsblog
View File

@@ -11,10 +11,10 @@
#include <tunables/global>
profile postfix-dnsblog /usr/lib/postfix/{sbin/,}dnsblog {
profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog {
#include <abstractions/base>
/usr/lib/postfix/{sbin/,}dnsblog rmix,
/usr/lib/postfix/{bin/,sbin/,}dnsblog mrix,
/var/spool/postfix/private/dnsblog rw,
}

4
profiles/apparmor/profiles/extras/postfix.error
View File

@@ -12,12 +12,12 @@
#include <tunables/global>
profile postfix-error /usr/lib/postfix/{sbin/,}error {
profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}error rmix,
/usr/lib/postfix/{bin/,sbin/,}error mrix,
owner /var/spool/postfix/active/* rwk,
/var/spool/postfix/pid/unix.error rwk,

4
profiles/apparmor/profiles/extras/postfix.flush
View File

@@ -11,12 +11,12 @@
#include <tunables/global>
profile postfix-flush /usr/lib/postfix/{sbin/,}flush {
profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}flush rmix,
/usr/lib/postfix/{bin/,sbin/,}flush mrix,
/{var/spool/postfix/,}deferred/ r,
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,

4
profiles/apparmor/profiles/extras/postfix.lmtp
View File

@@ -12,12 +12,12 @@
#include <tunables/global>
profile postfix-lmtp /usr/lib/postfix/{sbin/,}lmtp {
profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}lmtp rmix,
/usr/lib/postfix/{bin/,sbin/,}lmtp mrix,
/var/spool/postfix/active/* rwk,
/var/spool/postfix/pid/unix.lmtp rwk,

4
profiles/apparmor/profiles/extras/postfix.local
View File

@@ -11,7 +11,7 @@
#include <tunables/global>
profile postfix-local /usr/lib/postfix/{sbin/,}local {
profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
@@ -24,7 +24,7 @@ profile postfix-local /usr/lib/postfix/{sbin/,}local {
/var/mailman/mail/wrapper Px,
/usr/bin/mlmmj-recieve Px,
/usr/lib/postfix/{sbin/,}local rmix,
/usr/lib/postfix/{bin/,sbin/,}local mrix,
/{usr/,}bin/bash mixr,
/{usr/,}bin/date mixr,

42
profiles/apparmor/profiles/extras/postfix.master
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2019 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -11,7 +12,7 @@
#include <tunables/global>
profile postfix-master /usr/lib/postfix/{sbin/,}master {
profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
@@ -28,25 +29,30 @@ profile postfix-master /usr/lib/postfix/{sbin/,}master {
/etc/postfix/master.cf r,
/{var/spool/postfix/,}pid/master.pid rwk,
/{var/spool/postfix/,}pid/unix.lmtp wk,
/{var/spool/postfix/,}private/* wl,
/{var/spool/postfix/,}private/tlsmgr rwl,
/{var/spool/postfix/,}public/{cleanup,flush,pickup,qmgr,showq,tlsmgr} rwl,
/usr/lib/postfix/{sbin/,}anvil Px,
/usr/lib/postfix/{sbin/,}bounce Px,
/usr/lib/postfix/{sbin/,}cleanup Px,
/usr/lib/postfix/{sbin/,}flush Px,
/usr/lib/postfix/{sbin/,}local Px,
/usr/lib/postfix/{sbin/,}master rmix,
/usr/lib/postfix/{sbin/,}nqmgr Px,
/usr/lib/postfix/{sbin/,}proxymap Px,
/usr/lib/postfix/{sbin/,}pickup Px,
/usr/lib/postfix/{sbin/,}pipe Px,
/usr/lib/postfix/{sbin/,}qmgr Px,
/usr/lib/postfix/{sbin/,}scache Px,
/usr/lib/postfix/{sbin/,}showq Px,
/usr/lib/postfix/{sbin/,}smtp Px,
/usr/lib/postfix/{sbin/,}smtpd Px,
/usr/lib/postfix/{sbin/,}tlsmgr Px,
/usr/lib/postfix/{sbin/,}trivial-rewrite Px,
/usr/lib/postfix/{bin/,sbin/,}anvil Px,
/usr/lib/postfix/{bin/,sbin/,}bounce Px,
/usr/lib/postfix/{bin/,sbin/,}cleanup Px,
/usr/lib/postfix/{bin/,sbin/,}flush Px,
/usr/lib/postfix/{bin/,sbin/,}local Px,
/usr/lib/postfix/{bin/,sbin/,}lmtp mrPx,
/usr/lib/postfix/{bin/,sbin/,}master mrix,
/usr/lib/postfix/{bin/,sbin/,}nqmgr Px,
/usr/lib/postfix/{bin/,sbin/,}proxymap Px,
/usr/lib/postfix/{bin/,sbin/,}pickup Px,
/usr/lib/postfix/{bin/,sbin/,}pipe Px,
/usr/lib/postfix/{bin/,sbin/,}qmgr Px,
/usr/lib/postfix/{bin/,sbin/,}scache Px,
/usr/lib/postfix/{bin/,sbin/,}showq Px,
/usr/lib/postfix/{bin/,sbin/,}smtp Px,
/usr/lib/postfix/{bin/,sbin/,}smtpd Px,
/usr/lib/postfix/{bin/,sbin/,}tlsmgr Px,
/usr/lib/postfix/{bin/,sbin/,}trivial-rewrite Px,
owner /var/lib/postfix/master.lock rwk,
}

4
profiles/apparmor/profiles/extras/postfix.nqmgr
View File

@@ -11,12 +11,12 @@
#include <tunables/global>
profile postfix-nqmgr /usr/lib/postfix/{sbin/,}nqmgr {
profile postfix-nqmgr /usr/lib/postfix/{bin/,sbin/,}nqmgr {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}nqmgr rmix,
/usr/lib/postfix/{bin/,sbin/,}nqmgr mrix,
/{var/spool/postfix/,}active/ r,
/{var/spool/postfix/,}active/[0-9A-F]/ r,

4
profiles/apparmor/profiles/extras/postfix.oqmgr
View File

@@ -12,10 +12,10 @@
#include <tunables/global>
profile postfix-oqmgr /usr/lib/postfix/{sbin/,}oqmgr {
profile postfix-oqmgr /usr/lib/postfix/{bin/,sbin/,}oqmgr {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}oqmgr rmix,
/usr/lib/postfix/{bin/,sbin/,}oqmgr mrix,
}

4
profiles/apparmor/profiles/extras/postfix.pickup
View File

@@ -11,12 +11,12 @@
#include <tunables/global>
profile postfix-pickup /usr/lib/postfix/{sbin/,}pickup {
profile postfix-pickup /usr/lib/postfix/{bin/,sbin/,}pickup {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}pickup rmix,
/usr/lib/postfix/{bin/,sbin/,}pickup mrix,
/{var/spool/postfix/,}public/cleanup rw,
/{var/spool/postfix/,}public/pickup r,

4
profiles/apparmor/profiles/extras/postfix.pipe
View File

@@ -12,12 +12,12 @@
#include <tunables/global>
profile postfix-pipe /usr/lib/postfix/{sbin/,}pipe {
profile postfix-pipe /usr/lib/postfix/{bin/,sbin/,}pipe {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}pipe rmix,
/usr/lib/postfix/{bin/,sbin/,}pipe mrix,
/var/spool/postfix/active/* rwk,
/var/spool/postfix/private/bounce w,

4
profiles/apparmor/profiles/extras/postfix.postscreen
View File

@@ -10,8 +10,8 @@
#include <tunables/global>
profile postfix-postscreen /usr/lib/postfix/{sbin/,}postscreen {
profile postfix-postscreen /usr/lib/postfix/{bin/,sbin/,}postscreen {
#include <abstractions/base>
/usr/lib/postfix/{sbin/,}postscreen rmix,
/usr/lib/postfix/{bin/,sbin/,}postscreen mrix,
}

7
profiles/apparmor/profiles/extras/postfix.proxymap
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2019 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -11,11 +12,13 @@
#include <tunables/global>
profile postfix-proxymap /usr/lib/postfix/{sbin/,}proxymap {
profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}proxymap rmix,
/etc/my.cnf r,
/usr/lib/postfix/{bin/,sbin/,}proxymap mrix,
/{var/spool/postfix/,}private/proxymap rw,
}

6
profiles/apparmor/profiles/extras/postfix.qmgr
View File

@@ -11,12 +11,12 @@
#include <tunables/global>
profile postfix-qmgr /usr/lib/postfix/{sbin/,}qmgr {
profile postfix-qmgr /usr/lib/postfix/{bin/,sbin/,}qmgr {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}qmgr rmix,
/usr/lib/postfix/{bin/,sbin/,}qmgr mrix,
/{var/spool/postfix/,}active/ r,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
@@ -27,9 +27,11 @@ profile postfix-qmgr /usr/lib/postfix/{sbin/,}qmgr {
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}defer/[0-9A-F]/ rwl,
/{var/spool/postfix/,}defer/[0-9A-F]/* w,
/{var/spool/postfix/,}deferred/ r,
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}deferred/[0-9A-F]/* rw,
/{var/spool/postfix/,}deferred/[0-9A-F]/ rwl,
/{var/spool/postfix/,}incoming/ r,
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,

4
profiles/apparmor/profiles/extras/postfix.qmqpd
View File

@@ -11,10 +11,10 @@
#include <tunables/global>
profile postfix-qmqpd /usr/lib/postfix/{sbin/,}qmqpd {
profile postfix-qmqpd /usr/lib/postfix/{bin/,sbin/,}qmqpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}qmqpd rmix,
/usr/lib/postfix/{bin/,sbin/,}qmqpd mrix,
}

4
profiles/apparmor/profiles/extras/postfix.scache
View File

@@ -13,10 +13,10 @@
#include <tunables/global>
profile postfix-scache /usr/lib/postfix/{sbin/,}scache {
profile postfix-scache /usr/lib/postfix/{bin/,sbin/,}scache {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}scache rmix,
/usr/lib/postfix/{bin/,sbin/,}scache mrix,
}

8
profiles/apparmor/profiles/extras/postfix.showq
View File

@@ -11,12 +11,12 @@
#include <tunables/global>
profile postfix-showq /usr/lib/postfix/{sbin/,}showq {
profile postfix-showq /usr/lib/postfix/{bin/,sbin/,}showq {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}showq rmix,
/usr/lib/postfix/{bin/,sbin/,}showq mrix,
/{var/spool/postfix/,}active/ r,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* r,
@@ -40,5 +40,7 @@ profile postfix-showq /usr/lib/postfix/{sbin/,}showq {
/{var/spool/postfix/,}incoming/[0-9A-F]/ r,
/{var/spool/postfix/,}maildrop/ r,
/{var/spool/postfix/,}maildrop/[0-9A-F]/ r,
/{var/spool/postfix/,}pid/unix.showq rw,
/{var/spool/postfix/,}pid/unix.showq rwk,
owner /{var/spool/postfix,}/defer/[0-9A-F]/[0-9A-F]* r,
owner /{var/spool/postfix,}/deferred/[0-9A-F]/[0-9A-F]* r,
}

8
profiles/apparmor/profiles/extras/postfix.smtp
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2019 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -11,7 +12,7 @@
#include <tunables/global>
profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp {
profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
@@ -21,10 +22,11 @@ profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp {
capability dac_read_search,
capability net_bind_service,
/usr/lib/postfix/{sbin/,}smtp rmix,
/usr/lib/postfix/{bin/,sbin/,}smtp mrix,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}active/[0-9A-F]/* rwk,
/{var/spool/postfix/,}active/[0-9A-F]/ rwl,
/{var/spool/postfix/,}private/anvil w,
/{var/spool/postfix/,}private/bounce w,
@@ -34,7 +36,7 @@ profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp {
/{var/spool/postfix/,}private/tlsmgr w,
/{var/spool/postfix/,}private/trace w,
/{var/spool/postfix/,}public/flush w,
/{var/spool/postfix/,}pid/unix.smtp rw,
/{var/spool/postfix/,}pid/unix.smtp rwk,
/{var/spool/postfix/,}pid/unix.relay rw,
/etc/postfix/{ssl/,}*.pem r,
/etc/postfix/prng_exch rw,

7
profiles/apparmor/profiles/extras/postfix.smtpd
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2019 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -11,7 +12,7 @@
#include <tunables/global>
profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
@@ -22,7 +23,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
capability dac_override,
capability dac_read_search,
/usr/lib/postfix/{sbin/,}smtpd rmix,
/usr/lib/postfix/{bin/,sbin/,}smtpd mrix,
/usr/sbin/postdrop rPx,
/dev/urandom r,
@@ -32,6 +33,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
/etc/mtab r,
/etc/fstab r,
/etc/postfix/*.db r,
/etc/postfix/*.regexp r,
/etc/postfix/{ssl/,}*.pem r,
/etc/postfix/smtpd_scache.dir r,
/etc/postfix/smtpd_scache.pag rw,
@@ -40,6 +42,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd {
/usr/share/ssl/certs/ca-bundle.crt r,
/{var/spool/postfix/,}incoming/* rw,
/{var/spool/postfix/,}pid/inet.* rwk,
/{var/spool/postfix/,}private/anvil rw,
/{var/spool/postfix/,}private/proxymap rw,

4
profiles/apparmor/profiles/extras/postfix.spawn
View File

@@ -11,10 +11,10 @@
#include <tunables/global>
profile postfix-spawn /usr/lib/postfix/{sbin/,}spawn {
profile postfix-spawn /usr/lib/postfix/{bin/,sbin/,}spawn {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}spawn rmix,
/usr/lib/postfix/{bin/,sbin/,}spawn mrix,
}

4
profiles/apparmor/profiles/extras/postfix.tlsmgr
View File

@@ -12,12 +12,12 @@
#include <tunables/global>
profile postfix-tlsmgr /usr/lib/postfix/{sbin/,}tlsmgr {
profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}tlsmgr rmix,
/usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,
/var/spool/postfix/dev/urandom r,
/{etc,var/lib}/postfix/prng_exch rwk,

7
profiles/apparmor/profiles/extras/postfix.trivial-rewrite
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2019 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -11,12 +12,14 @@
#include <tunables/global>
profile postfix-trivial-rewrite /usr/lib/postfix/{sbin/,}trivial-rewrite {
profile postfix-trivial-rewrite /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}trivial-rewrite rmix,
capability dac_read_search,
/usr/lib/postfix/{bin/,sbin/,}trivial-rewrite mrix,
/etc/postfix/relocated.db r,
/etc/postfix/transport.db r,

4
profiles/apparmor/profiles/extras/postfix.verify
View File

@@ -11,10 +11,10 @@
#include <tunables/global>
profile postfix-verify /usr/lib/postfix/{sbin/,}verify {
profile postfix-verify /usr/lib/postfix/{bin/,sbin/,}verify {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}verify rmix,
/usr/lib/postfix/{bin/,sbin/,}verify mrix,
}

4
profiles/apparmor/profiles/extras/postfix.virtual
View File

@@ -11,12 +11,12 @@
#include <tunables/global>
profile postfix-virtual /usr/lib/postfix/{sbin/,}virtual {
profile postfix-virtual /usr/lib/postfix/{bin/,sbin/,}virtual {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/postfix-common>
/usr/lib/postfix/{sbin/,}virtual rmix,
/usr/lib/postfix/{bin/,sbin/,}virtual mrix,
/var/spool/postfix/active/* rw,
/var/spool/postfix/pid/unix.virtual rw,

2
profiles/apparmor/profiles/extras/usr.sbin.postqueue
View File

@@ -22,7 +22,7 @@
/etc/postfix r,
/usr/sbin/postqueue rmix,
/usr/lib/postfix/showq Px,
/usr/lib/postfix/{bin/,sbin/,}showq Px,
/var/spool/postfix r,
/var/spool/postfix/maildrop r,
/var/spool/postfix/maildrop/* rwl,