dovecot: allow chroot'ing the auth processes

When using passdb/userdb not requiring root (!= /etc/shadow access) it is recommended to run the auth processes as non root and chroot'ed Signed-off-by: Simon Deziel <simon@sdeziel.info>
2025-08-31 06:16:03 +00:00 · 2019-02-13 22:27:08 -05:00
parent a57f01d86b
commit d0aa863f6b
1 changed files with 2 additions and 0 deletions
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -25,6 +25,7 @@
  capability dac_override,
  capability dac_read_search,
  capability setuid,
+  capability sys_chroot,

  /etc/my.cnf r,
  /etc/my.cnf.d/ r,
@@ -32,6 +33,7 @@

  /etc/dovecot/* r,
  /usr/lib/dovecot/auth mr,
+  /var/lib/dovecot/auth-chroot/* r,

  # kerberos replay cache
  /var/tmp/imap_* rw,