diff --git a/profiles/apparmor/profiles/extras/postfix.anvil b/profiles/apparmor/profiles/extras/postfix.anvil index d22d81b15..c63c33245 100644 --- a/profiles/apparmor/profiles/extras/postfix.anvil +++ b/profiles/apparmor/profiles/extras/postfix.anvil @@ -11,12 +11,12 @@ #include -profile postfix-anvil /usr/lib/postfix/{sbin/,}anvil { +profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil { #include #include #include - /usr/lib/postfix/{sbin/,}anvil rmix, + /usr/lib/postfix/{bin/,sbin/,}anvil mrix, /etc/postfix/main.cf r, /{var/spool/postfix/,}private/anvil rw, diff --git a/profiles/apparmor/profiles/extras/postfix.bounce b/profiles/apparmor/profiles/extras/postfix.bounce index 91a25afb7..1f47de6d8 100644 --- a/profiles/apparmor/profiles/extras/postfix.bounce +++ b/profiles/apparmor/profiles/extras/postfix.bounce @@ -2,6 +2,7 @@ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2018 Canonical, Ltd. +# Copyright (C) 2019 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -11,21 +12,24 @@ #include -profile postfix-bounce /usr/lib/postfix/{sbin/,}bounce { +profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce { #include #include #include - /usr/lib/postfix/{sbin/,}bounce rmix, + /usr/lib/postfix/{bin/,sbin/,}bounce mrix, - /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, + /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwkl, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl, + /{var/spool/postfix/,}active/[0-9A-F]/* rwk, /{var/spool/postfix/,}active/[0-9A-F]/ rwl, /{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/ rwl, + /{var/spool/postfix/,}bounce/[0-9A-F]/* rwk, /{var/spool/postfix/,}bounce/[0-9A-F]/ rwl, - /{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl, + /{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwkl, /{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl, + /{var/spool/postfix/,}defer/[0-9A-F]/* rwkl, /{var/spool/postfix/,}defer/[0-9A-F]/ rwl, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl, @@ -33,6 +37,7 @@ profile postfix-bounce /usr/lib/postfix/{sbin/,}bounce { /{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/ rwl, /{var/spool/postfix/,}trace/[0-9A-F]/ rwl, + /{var/spool/postfix/,}trace/[0-9A-F]* rwk, /{var/spool/postfix/,}public/cleanup w, /{var/spool/postfix/,}pid/unix.bounce rwk, diff --git a/profiles/apparmor/profiles/extras/postfix.cleanup b/profiles/apparmor/profiles/extras/postfix.cleanup index f5ff794c8..d249de2fa 100644 --- a/profiles/apparmor/profiles/extras/postfix.cleanup +++ b/profiles/apparmor/profiles/extras/postfix.cleanup @@ -2,6 +2,7 @@ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2018 Canonical, Ltd. +# Copyright (C) 2019 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -11,14 +12,15 @@ #include -profile postfix-cleanup /usr/lib/postfix/{sbin/,}cleanup { +profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup { #include #include #include capability net_bind_service, + capability dac_read_search, - /usr/lib/postfix/{sbin/,}cleanup rmix, + /usr/lib/postfix/{bin/,sbin/,}cleanup mrix, /{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix.discard b/profiles/apparmor/profiles/extras/postfix.discard index b695bacbc..230136e03 100644 --- a/profiles/apparmor/profiles/extras/postfix.discard +++ b/profiles/apparmor/profiles/extras/postfix.discard @@ -12,8 +12,8 @@ #include -profile postfix-discard /usr/lib/postfix/{sbin/,}discard { +profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard { #include - /usr/lib/postfix/{sbin/,}discard rmix, + /usr/lib/postfix/{bin/,sbin/,}discard mrix, } diff --git a/profiles/apparmor/profiles/extras/postfix.dnsblog b/profiles/apparmor/profiles/extras/postfix.dnsblog index 902663a2c..d089a009b 100644 --- a/profiles/apparmor/profiles/extras/postfix.dnsblog +++ b/profiles/apparmor/profiles/extras/postfix.dnsblog @@ -11,10 +11,10 @@ #include -profile postfix-dnsblog /usr/lib/postfix/{sbin/,}dnsblog { +profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog { #include - /usr/lib/postfix/{sbin/,}dnsblog rmix, + /usr/lib/postfix/{bin/,sbin/,}dnsblog mrix, /var/spool/postfix/private/dnsblog rw, } diff --git a/profiles/apparmor/profiles/extras/postfix.error b/profiles/apparmor/profiles/extras/postfix.error index 641ffef67..80fce1469 100644 --- a/profiles/apparmor/profiles/extras/postfix.error +++ b/profiles/apparmor/profiles/extras/postfix.error @@ -12,12 +12,12 @@ #include -profile postfix-error /usr/lib/postfix/{sbin/,}error { +profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error { #include #include #include - /usr/lib/postfix/{sbin/,}error rmix, + /usr/lib/postfix/{bin/,sbin/,}error mrix, owner /var/spool/postfix/active/* rwk, /var/spool/postfix/pid/unix.error rwk, diff --git a/profiles/apparmor/profiles/extras/postfix.flush b/profiles/apparmor/profiles/extras/postfix.flush index 32910646d..b3384b7a6 100644 --- a/profiles/apparmor/profiles/extras/postfix.flush +++ b/profiles/apparmor/profiles/extras/postfix.flush @@ -11,12 +11,12 @@ #include -profile postfix-flush /usr/lib/postfix/{sbin/,}flush { +profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush { #include #include #include - /usr/lib/postfix/{sbin/,}flush rmix, + /usr/lib/postfix/{bin/,sbin/,}flush mrix, /{var/spool/postfix/,}deferred/ r, /{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix.lmtp b/profiles/apparmor/profiles/extras/postfix.lmtp index 867d9d603..df1d169ec 100644 --- a/profiles/apparmor/profiles/extras/postfix.lmtp +++ b/profiles/apparmor/profiles/extras/postfix.lmtp @@ -12,12 +12,12 @@ #include -profile postfix-lmtp /usr/lib/postfix/{sbin/,}lmtp { +profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp { #include #include #include - /usr/lib/postfix/{sbin/,}lmtp rmix, + /usr/lib/postfix/{bin/,sbin/,}lmtp mrix, /var/spool/postfix/active/* rwk, /var/spool/postfix/pid/unix.lmtp rwk, diff --git a/profiles/apparmor/profiles/extras/postfix.local b/profiles/apparmor/profiles/extras/postfix.local index 0798b2fc4..25a96ebc6 100644 --- a/profiles/apparmor/profiles/extras/postfix.local +++ b/profiles/apparmor/profiles/extras/postfix.local @@ -11,7 +11,7 @@ #include -profile postfix-local /usr/lib/postfix/{sbin/,}local { +profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local { #include #include #include @@ -24,7 +24,7 @@ profile postfix-local /usr/lib/postfix/{sbin/,}local { /var/mailman/mail/wrapper Px, /usr/bin/mlmmj-recieve Px, - /usr/lib/postfix/{sbin/,}local rmix, + /usr/lib/postfix/{bin/,sbin/,}local mrix, /{usr/,}bin/bash mixr, /{usr/,}bin/date mixr, diff --git a/profiles/apparmor/profiles/extras/postfix.master b/profiles/apparmor/profiles/extras/postfix.master index c952f7ee9..af8143f97 100644 --- a/profiles/apparmor/profiles/extras/postfix.master +++ b/profiles/apparmor/profiles/extras/postfix.master @@ -2,6 +2,7 @@ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2018 Canonical, Ltd. +# Copyright (C) 2019 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -11,7 +12,7 @@ #include -profile postfix-master /usr/lib/postfix/{sbin/,}master { +profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master { #include #include #include @@ -28,25 +29,30 @@ profile postfix-master /usr/lib/postfix/{sbin/,}master { /etc/postfix/master.cf r, /{var/spool/postfix/,}pid/master.pid rwk, + /{var/spool/postfix/,}pid/unix.lmtp wk, + /{var/spool/postfix/,}private/* wl, /{var/spool/postfix/,}private/tlsmgr rwl, /{var/spool/postfix/,}public/{cleanup,flush,pickup,qmgr,showq,tlsmgr} rwl, - /usr/lib/postfix/{sbin/,}anvil Px, - /usr/lib/postfix/{sbin/,}bounce Px, - /usr/lib/postfix/{sbin/,}cleanup Px, - /usr/lib/postfix/{sbin/,}flush Px, - /usr/lib/postfix/{sbin/,}local Px, - /usr/lib/postfix/{sbin/,}master rmix, - /usr/lib/postfix/{sbin/,}nqmgr Px, - /usr/lib/postfix/{sbin/,}proxymap Px, - /usr/lib/postfix/{sbin/,}pickup Px, - /usr/lib/postfix/{sbin/,}pipe Px, - /usr/lib/postfix/{sbin/,}qmgr Px, - /usr/lib/postfix/{sbin/,}scache Px, - /usr/lib/postfix/{sbin/,}showq Px, - /usr/lib/postfix/{sbin/,}smtp Px, - /usr/lib/postfix/{sbin/,}smtpd Px, - /usr/lib/postfix/{sbin/,}tlsmgr Px, - /usr/lib/postfix/{sbin/,}trivial-rewrite Px, + /usr/lib/postfix/{bin/,sbin/,}anvil Px, + /usr/lib/postfix/{bin/,sbin/,}bounce Px, + /usr/lib/postfix/{bin/,sbin/,}cleanup Px, + /usr/lib/postfix/{bin/,sbin/,}flush Px, + /usr/lib/postfix/{bin/,sbin/,}local Px, + /usr/lib/postfix/{bin/,sbin/,}lmtp mrPx, + /usr/lib/postfix/{bin/,sbin/,}master mrix, + /usr/lib/postfix/{bin/,sbin/,}nqmgr Px, + /usr/lib/postfix/{bin/,sbin/,}proxymap Px, + /usr/lib/postfix/{bin/,sbin/,}pickup Px, + /usr/lib/postfix/{bin/,sbin/,}pipe Px, + /usr/lib/postfix/{bin/,sbin/,}qmgr Px, + /usr/lib/postfix/{bin/,sbin/,}scache Px, + /usr/lib/postfix/{bin/,sbin/,}showq Px, + /usr/lib/postfix/{bin/,sbin/,}smtp Px, + /usr/lib/postfix/{bin/,sbin/,}smtpd Px, + /usr/lib/postfix/{bin/,sbin/,}tlsmgr Px, + /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite Px, + + owner /var/lib/postfix/master.lock rwk, } diff --git a/profiles/apparmor/profiles/extras/postfix.nqmgr b/profiles/apparmor/profiles/extras/postfix.nqmgr index 24249df03..6a0a5f26c 100644 --- a/profiles/apparmor/profiles/extras/postfix.nqmgr +++ b/profiles/apparmor/profiles/extras/postfix.nqmgr @@ -11,12 +11,12 @@ #include -profile postfix-nqmgr /usr/lib/postfix/{sbin/,}nqmgr { +profile postfix-nqmgr /usr/lib/postfix/{bin/,sbin/,}nqmgr { #include #include #include - /usr/lib/postfix/{sbin/,}nqmgr rmix, + /usr/lib/postfix/{bin/,sbin/,}nqmgr mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/ r, diff --git a/profiles/apparmor/profiles/extras/postfix.oqmgr b/profiles/apparmor/profiles/extras/postfix.oqmgr index 7cb107b3d..b8e766e34 100644 --- a/profiles/apparmor/profiles/extras/postfix.oqmgr +++ b/profiles/apparmor/profiles/extras/postfix.oqmgr @@ -12,10 +12,10 @@ #include -profile postfix-oqmgr /usr/lib/postfix/{sbin/,}oqmgr { +profile postfix-oqmgr /usr/lib/postfix/{bin/,sbin/,}oqmgr { #include #include #include - /usr/lib/postfix/{sbin/,}oqmgr rmix, + /usr/lib/postfix/{bin/,sbin/,}oqmgr mrix, } diff --git a/profiles/apparmor/profiles/extras/postfix.pickup b/profiles/apparmor/profiles/extras/postfix.pickup index 434423743..8cfc2e4ad 100644 --- a/profiles/apparmor/profiles/extras/postfix.pickup +++ b/profiles/apparmor/profiles/extras/postfix.pickup @@ -11,12 +11,12 @@ #include -profile postfix-pickup /usr/lib/postfix/{sbin/,}pickup { +profile postfix-pickup /usr/lib/postfix/{bin/,sbin/,}pickup { #include #include #include - /usr/lib/postfix/{sbin/,}pickup rmix, + /usr/lib/postfix/{bin/,sbin/,}pickup mrix, /{var/spool/postfix/,}public/cleanup rw, /{var/spool/postfix/,}public/pickup r, diff --git a/profiles/apparmor/profiles/extras/postfix.pipe b/profiles/apparmor/profiles/extras/postfix.pipe index 93639cb5e..0db3d5fb2 100644 --- a/profiles/apparmor/profiles/extras/postfix.pipe +++ b/profiles/apparmor/profiles/extras/postfix.pipe @@ -12,12 +12,12 @@ #include -profile postfix-pipe /usr/lib/postfix/{sbin/,}pipe { +profile postfix-pipe /usr/lib/postfix/{bin/,sbin/,}pipe { #include #include #include - /usr/lib/postfix/{sbin/,}pipe rmix, + /usr/lib/postfix/{bin/,sbin/,}pipe mrix, /var/spool/postfix/active/* rwk, /var/spool/postfix/private/bounce w, diff --git a/profiles/apparmor/profiles/extras/postfix.postscreen b/profiles/apparmor/profiles/extras/postfix.postscreen index 6df91d7aa..9fd26d17d 100644 --- a/profiles/apparmor/profiles/extras/postfix.postscreen +++ b/profiles/apparmor/profiles/extras/postfix.postscreen @@ -10,8 +10,8 @@ #include -profile postfix-postscreen /usr/lib/postfix/{sbin/,}postscreen { +profile postfix-postscreen /usr/lib/postfix/{bin/,sbin/,}postscreen { #include - /usr/lib/postfix/{sbin/,}postscreen rmix, + /usr/lib/postfix/{bin/,sbin/,}postscreen mrix, } diff --git a/profiles/apparmor/profiles/extras/postfix.proxymap b/profiles/apparmor/profiles/extras/postfix.proxymap index 70066e15c..2d18137db 100644 --- a/profiles/apparmor/profiles/extras/postfix.proxymap +++ b/profiles/apparmor/profiles/extras/postfix.proxymap @@ -2,6 +2,7 @@ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2018 Canonical, Ltd. +# Copyright (C) 2019 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -11,11 +12,13 @@ #include -profile postfix-proxymap /usr/lib/postfix/{sbin/,}proxymap { +profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap { #include #include + #include #include - /usr/lib/postfix/{sbin/,}proxymap rmix, + /etc/my.cnf r, + /usr/lib/postfix/{bin/,sbin/,}proxymap mrix, /{var/spool/postfix/,}private/proxymap rw, } diff --git a/profiles/apparmor/profiles/extras/postfix.qmgr b/profiles/apparmor/profiles/extras/postfix.qmgr index f2c044cab..b7216e6e6 100644 --- a/profiles/apparmor/profiles/extras/postfix.qmgr +++ b/profiles/apparmor/profiles/extras/postfix.qmgr @@ -11,12 +11,12 @@ #include -profile postfix-qmgr /usr/lib/postfix/{sbin/,}qmgr { +profile postfix-qmgr /usr/lib/postfix/{bin/,sbin/,}qmgr { #include #include #include - /usr/lib/postfix/{sbin/,}qmgr rmix, + /usr/lib/postfix/{bin/,sbin/,}qmgr mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, @@ -27,9 +27,11 @@ profile postfix-qmgr /usr/lib/postfix/{sbin/,}qmgr { /{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl, /{var/spool/postfix/,}defer/[0-9A-F]/ rwl, + /{var/spool/postfix/,}defer/[0-9A-F]/* w, /{var/spool/postfix/,}deferred/ r, /{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/ rwl, + /{var/spool/postfix/,}deferred/[0-9A-F]/* rw, /{var/spool/postfix/,}deferred/[0-9A-F]/ rwl, /{var/spool/postfix/,}incoming/ r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix.qmqpd b/profiles/apparmor/profiles/extras/postfix.qmqpd index 29b74da52..74565a431 100644 --- a/profiles/apparmor/profiles/extras/postfix.qmqpd +++ b/profiles/apparmor/profiles/extras/postfix.qmqpd @@ -11,10 +11,10 @@ #include -profile postfix-qmqpd /usr/lib/postfix/{sbin/,}qmqpd { +profile postfix-qmqpd /usr/lib/postfix/{bin/,sbin/,}qmqpd { #include #include #include - /usr/lib/postfix/{sbin/,}qmqpd rmix, + /usr/lib/postfix/{bin/,sbin/,}qmqpd mrix, } diff --git a/profiles/apparmor/profiles/extras/postfix.scache b/profiles/apparmor/profiles/extras/postfix.scache index ec5a8ccf3..512c6e6fa 100644 --- a/profiles/apparmor/profiles/extras/postfix.scache +++ b/profiles/apparmor/profiles/extras/postfix.scache @@ -13,10 +13,10 @@ #include -profile postfix-scache /usr/lib/postfix/{sbin/,}scache { +profile postfix-scache /usr/lib/postfix/{bin/,sbin/,}scache { #include #include #include - /usr/lib/postfix/{sbin/,}scache rmix, + /usr/lib/postfix/{bin/,sbin/,}scache mrix, } diff --git a/profiles/apparmor/profiles/extras/postfix.showq b/profiles/apparmor/profiles/extras/postfix.showq index 9306c9d99..1fc08769e 100644 --- a/profiles/apparmor/profiles/extras/postfix.showq +++ b/profiles/apparmor/profiles/extras/postfix.showq @@ -11,12 +11,12 @@ #include -profile postfix-showq /usr/lib/postfix/{sbin/,}showq { +profile postfix-showq /usr/lib/postfix/{bin/,sbin/,}showq { #include #include #include - /usr/lib/postfix/{sbin/,}showq rmix, + /usr/lib/postfix/{bin/,sbin/,}showq mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* r, @@ -40,5 +40,7 @@ profile postfix-showq /usr/lib/postfix/{sbin/,}showq { /{var/spool/postfix/,}incoming/[0-9A-F]/ r, /{var/spool/postfix/,}maildrop/ r, /{var/spool/postfix/,}maildrop/[0-9A-F]/ r, - /{var/spool/postfix/,}pid/unix.showq rw, + /{var/spool/postfix/,}pid/unix.showq rwk, + owner /{var/spool/postfix,}/defer/[0-9A-F]/[0-9A-F]* r, + owner /{var/spool/postfix,}/deferred/[0-9A-F]/[0-9A-F]* r, } diff --git a/profiles/apparmor/profiles/extras/postfix.smtp b/profiles/apparmor/profiles/extras/postfix.smtp index 24ed86f0e..bb15514be 100644 --- a/profiles/apparmor/profiles/extras/postfix.smtp +++ b/profiles/apparmor/profiles/extras/postfix.smtp @@ -2,6 +2,7 @@ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2018 Canonical, Ltd. +# Copyright (C) 2019 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -11,7 +12,7 @@ #include -profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp { +profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp { #include #include #include @@ -21,10 +22,11 @@ profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp { capability dac_read_search, capability net_bind_service, - /usr/lib/postfix/{sbin/,}smtp rmix, + /usr/lib/postfix/{bin/,sbin/,}smtp mrix, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl, + /{var/spool/postfix/,}active/[0-9A-F]/* rwk, /{var/spool/postfix/,}active/[0-9A-F]/ rwl, /{var/spool/postfix/,}private/anvil w, /{var/spool/postfix/,}private/bounce w, @@ -34,7 +36,7 @@ profile postfix-smtp /usr/lib/postfix/{sbin/,}smtp { /{var/spool/postfix/,}private/tlsmgr w, /{var/spool/postfix/,}private/trace w, /{var/spool/postfix/,}public/flush w, - /{var/spool/postfix/,}pid/unix.smtp rw, + /{var/spool/postfix/,}pid/unix.smtp rwk, /{var/spool/postfix/,}pid/unix.relay rw, /etc/postfix/{ssl/,}*.pem r, /etc/postfix/prng_exch rw, diff --git a/profiles/apparmor/profiles/extras/postfix.smtpd b/profiles/apparmor/profiles/extras/postfix.smtpd index dd1d1feac..a02274284 100644 --- a/profiles/apparmor/profiles/extras/postfix.smtpd +++ b/profiles/apparmor/profiles/extras/postfix.smtpd @@ -2,6 +2,7 @@ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2018 Canonical, Ltd. +# Copyright (C) 2019 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -11,7 +12,7 @@ #include -profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd { +profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd { #include #include #include @@ -22,7 +23,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd { capability dac_override, capability dac_read_search, - /usr/lib/postfix/{sbin/,}smtpd rmix, + /usr/lib/postfix/{bin/,sbin/,}smtpd mrix, /usr/sbin/postdrop rPx, /dev/urandom r, @@ -32,6 +33,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd { /etc/mtab r, /etc/fstab r, /etc/postfix/*.db r, + /etc/postfix/*.regexp r, /etc/postfix/{ssl/,}*.pem r, /etc/postfix/smtpd_scache.dir r, /etc/postfix/smtpd_scache.pag rw, @@ -40,6 +42,7 @@ profile postfix-smtpd /usr/lib/postfix/{sbin/,}smtpd { /usr/share/ssl/certs/ca-bundle.crt r, + /{var/spool/postfix/,}incoming/* rw, /{var/spool/postfix/,}pid/inet.* rwk, /{var/spool/postfix/,}private/anvil rw, /{var/spool/postfix/,}private/proxymap rw, diff --git a/profiles/apparmor/profiles/extras/postfix.spawn b/profiles/apparmor/profiles/extras/postfix.spawn index 475576c53..6e1fb181f 100644 --- a/profiles/apparmor/profiles/extras/postfix.spawn +++ b/profiles/apparmor/profiles/extras/postfix.spawn @@ -11,10 +11,10 @@ #include -profile postfix-spawn /usr/lib/postfix/{sbin/,}spawn { +profile postfix-spawn /usr/lib/postfix/{bin/,sbin/,}spawn { #include #include #include - /usr/lib/postfix/{sbin/,}spawn rmix, + /usr/lib/postfix/{bin/,sbin/,}spawn mrix, } diff --git a/profiles/apparmor/profiles/extras/postfix.tlsmgr b/profiles/apparmor/profiles/extras/postfix.tlsmgr index cb803d7e9..4a4b9866b 100644 --- a/profiles/apparmor/profiles/extras/postfix.tlsmgr +++ b/profiles/apparmor/profiles/extras/postfix.tlsmgr @@ -12,12 +12,12 @@ #include -profile postfix-tlsmgr /usr/lib/postfix/{sbin/,}tlsmgr { +profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr { #include #include #include - /usr/lib/postfix/{sbin/,}tlsmgr rmix, + /usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix, /var/spool/postfix/dev/urandom r, /{etc,var/lib}/postfix/prng_exch rwk, diff --git a/profiles/apparmor/profiles/extras/postfix.trivial-rewrite b/profiles/apparmor/profiles/extras/postfix.trivial-rewrite index 59dd4b9cc..1cac03bb2 100644 --- a/profiles/apparmor/profiles/extras/postfix.trivial-rewrite +++ b/profiles/apparmor/profiles/extras/postfix.trivial-rewrite @@ -2,6 +2,7 @@ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2018 Canonical, Ltd. +# Copyright (C) 2019 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -11,12 +12,14 @@ #include -profile postfix-trivial-rewrite /usr/lib/postfix/{sbin/,}trivial-rewrite { +profile postfix-trivial-rewrite /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite { #include #include #include - /usr/lib/postfix/{sbin/,}trivial-rewrite rmix, + capability dac_read_search, + + /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite mrix, /etc/postfix/relocated.db r, /etc/postfix/transport.db r, diff --git a/profiles/apparmor/profiles/extras/postfix.verify b/profiles/apparmor/profiles/extras/postfix.verify index 23caf8314..b29955c68 100644 --- a/profiles/apparmor/profiles/extras/postfix.verify +++ b/profiles/apparmor/profiles/extras/postfix.verify @@ -11,10 +11,10 @@ #include -profile postfix-verify /usr/lib/postfix/{sbin/,}verify { +profile postfix-verify /usr/lib/postfix/{bin/,sbin/,}verify { #include #include #include - /usr/lib/postfix/{sbin/,}verify rmix, + /usr/lib/postfix/{bin/,sbin/,}verify mrix, } diff --git a/profiles/apparmor/profiles/extras/postfix.virtual b/profiles/apparmor/profiles/extras/postfix.virtual index b6a39847f..a9b665206 100644 --- a/profiles/apparmor/profiles/extras/postfix.virtual +++ b/profiles/apparmor/profiles/extras/postfix.virtual @@ -11,12 +11,12 @@ #include -profile postfix-virtual /usr/lib/postfix/{sbin/,}virtual { +profile postfix-virtual /usr/lib/postfix/{bin/,sbin/,}virtual { #include #include #include - /usr/lib/postfix/{sbin/,}virtual rmix, + /usr/lib/postfix/{bin/,sbin/,}virtual mrix, /var/spool/postfix/active/* rw, /var/spool/postfix/pid/unix.virtual rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postqueue b/profiles/apparmor/profiles/extras/usr.sbin.postqueue index 29a2258d6..67cb2e994 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postqueue +++ b/profiles/apparmor/profiles/extras/usr.sbin.postqueue @@ -22,7 +22,7 @@ /etc/postfix r, /usr/sbin/postqueue rmix, - /usr/lib/postfix/showq Px, + /usr/lib/postfix/{bin/,sbin/,}showq Px, /var/spool/postfix r, /var/spool/postfix/maildrop r, /var/spool/postfix/maildrop/* rwl,