mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

Merge update postfix profiles

Browse Source 
Update postfix profiles:

* cleanup postfix profiles - /etc/postfix/\*.db is covered by abstractions/postfix-common
* postfix: allow access to \*.lmdb files in addition to \*.db files. (openSUSE Tumbleweed now uses the lmdb format by default.)
* postfix-flush and -showq: add permissions needed with latest postfix as seen on openSUSE Tumbleweed

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/717
Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2021-03-07 17:28:47 +00:00
parent c2718e2677 08719eebc1
commit 55a7c89117
9 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
profiles/apparmor.d/abstractions/postfix-common
View File

@@ -2,7 +2,7 @@
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2015-2018 Canonical, Ltd.
# Copyright (C) 2020 Christian Boltz
# Copyright (C) 2020-2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -26,6 +26,7 @@
/etc/mailname r,
/etc/postfix/*.cf r,
/etc/postfix/*.db rk,
/etc/postfix/*.lmdb rk,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
/usr/lib{,32,64}/sasl2/* mr,

4
profiles/apparmor/profiles/extras/postfix-flush
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -25,6 +26,7 @@ profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]* rwl,
/{var/spool/postfix/,}deferred/[0-9A-F]/ rwl,
/{var/spool/postfix/,}flush/ rwl,
/{var/spool/postfix/,}flush/* w, # filename is based on hostname
/{var/spool/postfix/,}flush/[0-9A-F]/[0-9A-F]/* rwl,
/{var/spool/postfix/,}flush/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}flush/[0-9A-F]/ rwl,
@@ -33,7 +35,7 @@ profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl,
/{var/spool/postfix/,}incoming/[0-9A-F]/ rwl,
/{var/spool/postfix/,}public/qmgr w,
/{var/spool/postfix/,}pid/unix.flush rw,
/{var/spool/postfix/,}pid/unix.flush rwk,
/etc/mtab r,
@{HOME}/.forward r,

8
profiles/apparmor/profiles/extras/postfix-local
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -31,9 +32,9 @@ profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
/{usr/,}bin/date mixr,
/dev/tty rw,
/etc/{postfix/,}aliases.db rk,
/etc/aliases.{lm,}db rk,
# mailman on SuSE is configured to have its own alias file
/var/lib/mailman/data/aliases.db rk,
/var/lib/mailman/data/aliases.{lm,}db rk,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rw,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rw,
/{var/spool/postfix/,}active/[0-9A-F]/ rw,
@@ -41,9 +42,6 @@ profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
/{var/spool/postfix/,}pid/unix.local rwk,
/{var/spool/postfix/,}private/{bounce,defer,flush,lmtp,local,rewrite} rw,
/{var/spool/postfix/,}public/{cleanup,flush} rw,
/etc/postfix/virtual.db r,
/etc/postfix/lists.db r,
# deliver mail
/var/mail/* wk,
}

2
profiles/apparmor/profiles/extras/postfix-showq
View File

@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -41,6 +42,7 @@ profile postfix-showq /usr/lib/postfix/{bin/,sbin/,}showq {
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ r,
/{var/spool/postfix/,}incoming/[0-9A-F]/ r,
/{var/spool/postfix/,}maildrop/ r,
/{var/spool/postfix/,}maildrop/[0-9A-F]*[0-9A-F] r,
/{var/spool/postfix/,}maildrop/[0-9A-F]/ r,
/{var/spool/postfix/,}pid/unix.showq rwk,
owner /{var/spool/postfix,}/defer/[0-9A-F]/[0-9A-F]* r,

2
profiles/apparmor/profiles/extras/postfix-smtp
View File

@@ -43,7 +43,5 @@ profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp {
/etc/postfix/{ssl/,}*.pem r,
/etc/postfix/prng_exch rw,
/usr/share/ssl/certs/ca-bundle.crt r,
/etc/postfix/virtual.db r,
/etc/postfix/sasl_passwd.db r,
/etc/mtab r,
}

7
profiles/apparmor/profiles/extras/postfix-smtpd
View File

@@ -2,7 +2,7 @@
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2018 Canonical, Ltd.
# Copyright (C) 2019 Christian Boltz
# Copyright (C) 2019-2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -29,12 +29,11 @@ profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd {
/usr/sbin/postdrop rPx,
/dev/urandom r,
/etc/aliases.db rk,
/etc/aliases.{lm,}db rk,
# mailman on SuSE is configured to have its own alias db
/var/lib/mailman/data/aliases.db rk,
/var/lib/mailman/data/aliases.{lm,}db rk,
/etc/mtab r,
/etc/fstab r,
/etc/postfix/*.db r,
/etc/postfix/*.regexp r,
/etc/postfix/{ssl/,}*.pem r,
/etc/postfix/smtpd_scache.dir r,

3
profiles/apparmor/profiles/extras/postfix-trivial-rewrite
View File

@@ -23,9 +23,6 @@ profile postfix-trivial-rewrite /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite {
/usr/lib/postfix/{bin/,sbin/,}trivial-rewrite mrix,
/etc/postfix/relocated.db r,
/etc/postfix/transport.db r,
/etc/postfix/virtual.db r,
/etc/{m,fs}tab r,
/var/spool/postfix/pid/unix.rewrite rw,
/{var/spool/postfix/,}private/rewrite rw,

7
profiles/apparmor/profiles/extras/usr.sbin.postalias
View File

@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -19,11 +20,11 @@ include <tunables/global>
include <abstractions/consoles>
include <abstractions/postfix-common>
/etc/aliases r,
/etc/aliases.db rwlk,
/etc/aliases.{lm,}db rwlk,
/etc/postfix r,
/etc/postfix/main.cf r,
/etc/postfix/aliases r,
/etc/postfix/aliases.db rwl,
/etc/postfix/aliases.{lm,}db rwl,
/etc/postfix/__db.aliases.db lrw,
/etc/__db.aliases.db rwl,
/usr/sbin/postalias rmix,
@@ -31,7 +32,7 @@ include <tunables/global>
# On SuSE, mailman is configured to use its own alias db
/var/lib/mailman/data/aliases r,
/var/lib/mailman/data/__db.aliases.db rwl,
/var/lib/mailman/data/aliases.db rwl,
/var/lib/mailman/data/aliases.{lm,}db rwl,
/var/spool/postfix r,
/var/spool/postfix/pid r,
}

2
profiles/apparmor/profiles/extras/usr.sbin.postmap
View File

@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -22,6 +23,7 @@ include <tunables/global>
/etc/mtab r,
/etc/postfix/* r,
/etc/postfix/*.db rwlk,
/etc/postfix/*.lmdb rwlk,
@{PROC}/net/if_inet6 r,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/usr/sbin/postmap rmix,