Merge branch 'dovecot-fixes-no-doveadm' into 'master'

misc dovecot fixes (take #2)

See merge request apparmor/apparmor!336

Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10

profiles/apparmor.d/usr.lib.dovecot.anvil

@@ -18,7 +18,10 @@
   capability setuid,
   capability sys_chroot,
 
+  unix (receive, send) type=stream peer=(label=dovecot),
+
   /run/dovecot/anvil rw,
+  /run/dovecot/anvil-auth-penalty rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.lib.dovecot.auth

@@ -25,6 +25,7 @@
   capability dac_override,
   capability dac_read_search,
   capability setuid,
+  capability sys_chroot,
 
   /etc/my.cnf r,
   /etc/my.cnf.d/ r,
@@ -32,6 +33,7 @@
 
   /etc/dovecot/* r,
   /usr/lib/dovecot/auth mr,
+  /var/lib/dovecot/auth-chroot/* r,
 
   # kerberos replay cache
   /var/tmp/imap_* rw,
@@ -40,6 +42,7 @@
   /var/tmp/smtp_* rw,
 
   /run/dovecot/auth-master rw,
+  /run/dovecot/auth-userdb rw,
   /run/dovecot/auth-worker rw,
   /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
@@ -47,7 +50,7 @@
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,
 
-  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/auth rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>

profiles/apparmor.d/usr.lib.dovecot.lmtp

@@ -17,6 +17,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/dovecot-common>
   #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
   #include <abstractions/ssl_keys>
 
   capability dac_override,

profiles/apparmor.d/usr.sbin.dovecot

@@ -33,6 +33,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
 
   signal send set=(int,quit) peer=/usr/lib/dovecot/*,
 
+  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
+
   /etc/dovecot/** r,
   /etc/mtab r,
   /etc/lsb-release r,