From f4f04adabc287219b04eb64d8801b3b5e3d4bae6 Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Wed, 30 Oct 2024 10:43:47 +0000 Subject: [PATCH] Merge Improvements to Postfix profiles * Support /usr/libexec/postfix/ path * Added abstractions/{nameservice,postfix-common} to postfix-postscreen * Added postfix-tlsproxy, postscreen & spawn to postfix-master * Added missing postfix-tlsproxy profile * Added postscreen cache map (see ) * Added /{var/spool/postfix/,}pid/pass.smtpd to postfix-smtpd MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1330 Approved-by: Christian Boltz Merged-by: Georgia Garcia (cherry picked from commit f7b5d0e783db8cd204a882b81370ceb8bd996353) Signed-off-by: John Johansen --- .../apparmor/profiles/extras/postfix-anvil | 4 +- .../apparmor/profiles/extras/postfix-bounce | 4 +- .../apparmor/profiles/extras/postfix-cleanup | 4 +- .../apparmor/profiles/extras/postfix-discard | 4 +- .../apparmor/profiles/extras/postfix-dnsblog | 4 +- .../apparmor/profiles/extras/postfix-error | 4 +- .../apparmor/profiles/extras/postfix-flush | 4 +- .../apparmor/profiles/extras/postfix-lmtp | 4 +- .../apparmor/profiles/extras/postfix-local | 4 +- .../apparmor/profiles/extras/postfix-master | 43 ++++++++++--------- .../apparmor/profiles/extras/postfix-nqmgr | 4 +- .../apparmor/profiles/extras/postfix-oqmgr | 4 +- .../apparmor/profiles/extras/postfix-pickup | 4 +- .../apparmor/profiles/extras/postfix-pipe | 4 +- .../profiles/extras/postfix-postscreen | 7 ++- .../apparmor/profiles/extras/postfix-proxymap | 6 +-- .../apparmor/profiles/extras/postfix-qmgr | 4 +- .../apparmor/profiles/extras/postfix-qmqpd | 4 +- .../apparmor/profiles/extras/postfix-scache | 4 +- .../apparmor/profiles/extras/postfix-showq | 4 +- .../apparmor/profiles/extras/postfix-smtp | 4 +- .../apparmor/profiles/extras/postfix-smtpd | 5 ++- .../apparmor/profiles/extras/postfix-spawn | 4 +- .../apparmor/profiles/extras/postfix-tlsmgr | 4 +- .../apparmor/profiles/extras/postfix-tlsproxy | 27 ++++++++++++ .../profiles/extras/postfix-trivial-rewrite | 4 +- .../apparmor/profiles/extras/postfix-verify | 4 +- .../apparmor/profiles/extras/postfix-virtual | 4 +- .../profiles/extras/usr.sbin.postqueue | 2 +- .../profiles/extras/usr.sbin.sendmail | 6 +-- .../profiles/extras/usr.sbin.sendmail.postfix | 4 +- 31 files changed, 113 insertions(+), 79 deletions(-) create mode 100644 profiles/apparmor/profiles/extras/postfix-tlsproxy diff --git a/profiles/apparmor/profiles/extras/postfix-anvil b/profiles/apparmor/profiles/extras/postfix-anvil index e198407b8..e29127b27 100644 --- a/profiles/apparmor/profiles/extras/postfix-anvil +++ b/profiles/apparmor/profiles/extras/postfix-anvil @@ -13,12 +13,12 @@ include -profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil { +profile postfix-anvil /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil { include include include - /usr/lib/postfix/{bin/,sbin/,}anvil mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil mrix, /etc/postfix/main.cf r, /{var/spool/postfix/,}private/anvil rw, diff --git a/profiles/apparmor/profiles/extras/postfix-bounce b/profiles/apparmor/profiles/extras/postfix-bounce index fd786da02..93cda1f0d 100644 --- a/profiles/apparmor/profiles/extras/postfix-bounce +++ b/profiles/apparmor/profiles/extras/postfix-bounce @@ -14,12 +14,12 @@ include -profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce { +profile postfix-bounce /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce { include include include - /usr/lib/postfix/{bin/,sbin/,}bounce mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce mrix, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwkl, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-cleanup b/profiles/apparmor/profiles/extras/postfix-cleanup index 6ca33e23e..ac802ef29 100644 --- a/profiles/apparmor/profiles/extras/postfix-cleanup +++ b/profiles/apparmor/profiles/extras/postfix-cleanup @@ -14,7 +14,7 @@ include -profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup { +profile postfix-cleanup /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup { include include include @@ -22,7 +22,7 @@ profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup { capability net_bind_service, capability dac_read_search, - /usr/lib/postfix/{bin/,sbin/,}cleanup mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup mrix, /{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-discard b/profiles/apparmor/profiles/extras/postfix-discard index 843202e98..0846ae06f 100644 --- a/profiles/apparmor/profiles/extras/postfix-discard +++ b/profiles/apparmor/profiles/extras/postfix-discard @@ -14,10 +14,10 @@ include -profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard { +profile postfix-discard /usr/lib{,exec}/postfix/{bin/,sbin/,}discard { include - /usr/lib/postfix/{bin/,sbin/,}discard mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}discard mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-dnsblog b/profiles/apparmor/profiles/extras/postfix-dnsblog index df5a01305..a16be29ae 100644 --- a/profiles/apparmor/profiles/extras/postfix-dnsblog +++ b/profiles/apparmor/profiles/extras/postfix-dnsblog @@ -13,10 +13,10 @@ include -profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog { +profile postfix-dnsblog /usr/lib{,exec}/postfix/{bin/,sbin/,}dnsblog { include - /usr/lib/postfix/{bin/,sbin/,}dnsblog mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}dnsblog mrix, /var/spool/postfix/private/dnsblog rw, diff --git a/profiles/apparmor/profiles/extras/postfix-error b/profiles/apparmor/profiles/extras/postfix-error index 51ed8d65e..609a23b3a 100644 --- a/profiles/apparmor/profiles/extras/postfix-error +++ b/profiles/apparmor/profiles/extras/postfix-error @@ -14,12 +14,12 @@ include -profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error { +profile postfix-error /usr/lib{,exec}/postfix/{bin/,sbin/,}error { include include include - /usr/lib/postfix/{bin/,sbin/,}error mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}error mrix, owner /var/spool/postfix/active/* rwk, /var/spool/postfix/pid/unix.error rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-flush b/profiles/apparmor/profiles/extras/postfix-flush index 56c6457d1..6080dc559 100644 --- a/profiles/apparmor/profiles/extras/postfix-flush +++ b/profiles/apparmor/profiles/extras/postfix-flush @@ -14,12 +14,12 @@ include -profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush { +profile postfix-flush /usr/lib{,exec}/postfix/{bin/,sbin/,}flush { include include include - /usr/lib/postfix/{bin/,sbin/,}flush mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}flush mrix, /{var/spool/postfix/,}deferred/ r, /{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-lmtp b/profiles/apparmor/profiles/extras/postfix-lmtp index 85d34f188..0dc6bf949 100644 --- a/profiles/apparmor/profiles/extras/postfix-lmtp +++ b/profiles/apparmor/profiles/extras/postfix-lmtp @@ -14,12 +14,12 @@ include -profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp { +profile postfix-lmtp /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp { include include include - /usr/lib/postfix/{bin/,sbin/,}lmtp mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp mrix, /var/spool/postfix/active/* rwk, /var/spool/postfix/pid/unix.lmtp rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-local b/profiles/apparmor/profiles/extras/postfix-local index 7dfa2102f..145961783 100644 --- a/profiles/apparmor/profiles/extras/postfix-local +++ b/profiles/apparmor/profiles/extras/postfix-local @@ -14,7 +14,7 @@ include -profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local { +profile postfix-local /usr/lib{,exec}/postfix/{bin/,sbin/,}local { include include include @@ -27,7 +27,7 @@ profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local { /var/mailman/mail/wrapper Px, /usr/bin/mlmmj-recieve Px, - /usr/lib/postfix/{bin/,sbin/,}local mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}local mrix, /{usr/,}bin/bash mixr, /{usr/,}bin/date mixr, diff --git a/profiles/apparmor/profiles/extras/postfix-master b/profiles/apparmor/profiles/extras/postfix-master index e2f58d945..6d8e7856d 100644 --- a/profiles/apparmor/profiles/extras/postfix-master +++ b/profiles/apparmor/profiles/extras/postfix-master @@ -14,7 +14,7 @@ abi , include -profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master { +profile postfix-master /usr/lib{,exec}/postfix/{bin/,sbin/,}master { include include include @@ -37,25 +37,28 @@ profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master { /{var/spool/postfix/,}private/tlsmgr rwl, /{var/spool/postfix/,}public/{cleanup,flush,pickup,postlog,qmgr,showq,tlsmgr} rwl, - /usr/lib/postfix/{bin/,sbin/,}anvil Px, - /usr/lib/postfix/{bin/,sbin/,}bounce Px, - /usr/lib/postfix/{bin/,sbin/,}cleanup Px, - /usr/lib/postfix/{bin/,sbin/,}error Px, - /usr/lib/postfix/{bin/,sbin/,}flush Px, - /usr/lib/postfix/{bin/,sbin/,}local Px, - /usr/lib/postfix/{bin/,sbin/,}lmtp mrPx, - /usr/lib/postfix/{bin/,sbin/,}master mrix, - /usr/lib/postfix/{bin/,sbin/,}nqmgr Px, - /usr/lib/postfix/{bin/,sbin/,}proxymap Px, - /usr/lib/postfix/{bin/,sbin/,}pickup Px, - /usr/lib/postfix/{bin/,sbin/,}pipe Px, - /usr/lib/postfix/{bin/,sbin/,}qmgr Px, - /usr/lib/postfix/{bin/,sbin/,}scache Px, - /usr/lib/postfix/{bin/,sbin/,}showq Px, - /usr/lib/postfix/{bin/,sbin/,}smtp Px, - /usr/lib/postfix/{bin/,sbin/,}smtpd Px, - /usr/lib/postfix/{bin/,sbin/,}tlsmgr Px, - /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}error Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}flush Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}local Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp mrPx, + /usr/lib{,exec}/postfix/{bin/,sbin/,}master mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}pipe Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}postfix-tlsproxy Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}postscreen Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}qmgr Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}scache Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}showq Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}smtp Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}spawn Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsmgr Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}trivial-rewrite Px, owner /var/lib/postfix/master.lock rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-nqmgr b/profiles/apparmor/profiles/extras/postfix-nqmgr index 2accf266d..e537e1155 100644 --- a/profiles/apparmor/profiles/extras/postfix-nqmgr +++ b/profiles/apparmor/profiles/extras/postfix-nqmgr @@ -13,12 +13,12 @@ abi , include -profile postfix-nqmgr /usr/lib/postfix/{bin/,sbin/,}nqmgr { +profile postfix-nqmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr { include include include - /usr/lib/postfix/{bin/,sbin/,}nqmgr mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/ r, diff --git a/profiles/apparmor/profiles/extras/postfix-oqmgr b/profiles/apparmor/profiles/extras/postfix-oqmgr index cb332cfe9..34e713556 100644 --- a/profiles/apparmor/profiles/extras/postfix-oqmgr +++ b/profiles/apparmor/profiles/extras/postfix-oqmgr @@ -14,12 +14,12 @@ abi , include -profile postfix-oqmgr /usr/lib/postfix/{bin/,sbin/,}oqmgr { +profile postfix-oqmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}oqmgr { include include include - /usr/lib/postfix/{bin/,sbin/,}oqmgr mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}oqmgr mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-pickup b/profiles/apparmor/profiles/extras/postfix-pickup index ec1985cab..a0cba743e 100644 --- a/profiles/apparmor/profiles/extras/postfix-pickup +++ b/profiles/apparmor/profiles/extras/postfix-pickup @@ -13,12 +13,12 @@ abi , include -profile postfix-pickup /usr/lib/postfix/{bin/,sbin/,}pickup { +profile postfix-pickup /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup { include include include - /usr/lib/postfix/{bin/,sbin/,}pickup mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup mrix, /{var/spool/postfix/,}public/cleanup rw, /{var/spool/postfix/,}public/pickup r, diff --git a/profiles/apparmor/profiles/extras/postfix-pipe b/profiles/apparmor/profiles/extras/postfix-pipe index f1904a202..dc4944ba1 100644 --- a/profiles/apparmor/profiles/extras/postfix-pipe +++ b/profiles/apparmor/profiles/extras/postfix-pipe @@ -14,12 +14,12 @@ abi , include -profile postfix-pipe /usr/lib/postfix/{bin/,sbin/,}pipe { +profile postfix-pipe /usr/lib{,exec}/postfix/{bin/,sbin/,}pipe { include include include - /usr/lib/postfix/{bin/,sbin/,}pipe mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}pipe mrix, /var/spool/postfix/active/* rwk, /var/spool/postfix/private/bounce w, diff --git a/profiles/apparmor/profiles/extras/postfix-postscreen b/profiles/apparmor/profiles/extras/postfix-postscreen index c2a5abc32..b11bd8fc0 100644 --- a/profiles/apparmor/profiles/extras/postfix-postscreen +++ b/profiles/apparmor/profiles/extras/postfix-postscreen @@ -12,10 +12,13 @@ abi , include -profile postfix-postscreen /usr/lib/postfix/{bin/,sbin/,}postscreen { +profile postfix-postscreen /usr/lib{,exec}/postfix/{bin/,sbin/,}postscreen { include + include + include - /usr/lib/postfix/{bin/,sbin/,}postscreen mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}postscreen mrix, + owner /var/lib/postfix/{,__db.}postscreen_cache.db rwk, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-proxymap b/profiles/apparmor/profiles/extras/postfix-proxymap index da3fa28d7..e41e2f472 100644 --- a/profiles/apparmor/profiles/extras/postfix-proxymap +++ b/profiles/apparmor/profiles/extras/postfix-proxymap @@ -14,14 +14,14 @@ abi , include -profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap { +profile postfix-proxymap /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap { include include include /etc/my.cnf r, - /usr/lib/postfix/{bin/,sbin/,}proxymap mrix, - /{var/spool/postfix/,}private/proxymap rw, + /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap mrix, + /{var/spool/postfix/,}private/proxymap rw, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-qmgr b/profiles/apparmor/profiles/extras/postfix-qmgr index 814c3a637..336200409 100644 --- a/profiles/apparmor/profiles/extras/postfix-qmgr +++ b/profiles/apparmor/profiles/extras/postfix-qmgr @@ -13,12 +13,12 @@ abi , include -profile postfix-qmgr /usr/lib/postfix/{bin/,sbin/,}qmgr { +profile postfix-qmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}qmgr { include include include - /usr/lib/postfix/{bin/,sbin/,}qmgr mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}qmgr mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-qmqpd b/profiles/apparmor/profiles/extras/postfix-qmqpd index 70a880630..6b9ef9258 100644 --- a/profiles/apparmor/profiles/extras/postfix-qmqpd +++ b/profiles/apparmor/profiles/extras/postfix-qmqpd @@ -13,12 +13,12 @@ abi , include -profile postfix-qmqpd /usr/lib/postfix/{bin/,sbin/,}qmqpd { +profile postfix-qmqpd /usr/lib{,exec}/postfix/{bin/,sbin/,}qmqpd { include include include - /usr/lib/postfix/{bin/,sbin/,}qmqpd mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}qmqpd mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-scache b/profiles/apparmor/profiles/extras/postfix-scache index ab4d5e932..20e9b9205 100644 --- a/profiles/apparmor/profiles/extras/postfix-scache +++ b/profiles/apparmor/profiles/extras/postfix-scache @@ -15,12 +15,12 @@ abi , include -profile postfix-scache /usr/lib/postfix/{bin/,sbin/,}scache { +profile postfix-scache /usr/lib{,exec}/postfix/{bin/,sbin/,}scache { include include include - /usr/lib/postfix/{bin/,sbin/,}scache mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}scache mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-showq b/profiles/apparmor/profiles/extras/postfix-showq index e3d968c20..e6c7644ee 100644 --- a/profiles/apparmor/profiles/extras/postfix-showq +++ b/profiles/apparmor/profiles/extras/postfix-showq @@ -14,12 +14,12 @@ abi , include -profile postfix-showq /usr/lib/postfix/{bin/,sbin/,}showq { +profile postfix-showq /usr/lib{,exec}/postfix/{bin/,sbin/,}showq { include include include - /usr/lib/postfix/{bin/,sbin/,}showq mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}showq mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* r, diff --git a/profiles/apparmor/profiles/extras/postfix-smtp b/profiles/apparmor/profiles/extras/postfix-smtp index f3152066b..c1dfa58ee 100644 --- a/profiles/apparmor/profiles/extras/postfix-smtp +++ b/profiles/apparmor/profiles/extras/postfix-smtp @@ -14,7 +14,7 @@ abi , include -profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp { +profile postfix-smtp /usr/lib{,exec}/postfix/{bin/,sbin/,}smtp { include include include @@ -23,7 +23,7 @@ profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp { capability dac_read_search, capability net_bind_service, - /usr/lib/postfix/{bin/,sbin/,}smtp mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}smtp mrix, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-smtpd b/profiles/apparmor/profiles/extras/postfix-smtpd index 5d6351efd..ca7e57072 100644 --- a/profiles/apparmor/profiles/extras/postfix-smtpd +++ b/profiles/apparmor/profiles/extras/postfix-smtpd @@ -14,7 +14,7 @@ abi , include -profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd { +profile postfix-smtpd /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd { include include include @@ -24,7 +24,7 @@ profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd { capability dac_override, capability dac_read_search, - /usr/lib/postfix/{bin/,sbin/,}smtpd mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd mrix, /usr/sbin/postdrop rPx, /dev/urandom r, @@ -44,6 +44,7 @@ profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd { /{var/spool/postfix/,}incoming/* rw, /{var/spool/postfix/,}pid/inet.* rwk, + /{var/spool/postfix/,}pid/pass.smtpd rwk, /{var/spool/postfix/,}private/anvil rw, /{var/spool/postfix/,}private/proxymap rw, /{var/spool/postfix/,}private/rewrite rw, diff --git a/profiles/apparmor/profiles/extras/postfix-spawn b/profiles/apparmor/profiles/extras/postfix-spawn index a19417bd6..0f44e28f8 100644 --- a/profiles/apparmor/profiles/extras/postfix-spawn +++ b/profiles/apparmor/profiles/extras/postfix-spawn @@ -13,12 +13,12 @@ abi , include -profile postfix-spawn /usr/lib/postfix/{bin/,sbin/,}spawn { +profile postfix-spawn /usr/lib{,exec}/postfix/{bin/,sbin/,}spawn { include include include - /usr/lib/postfix/{bin/,sbin/,}spawn mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}spawn mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-tlsmgr b/profiles/apparmor/profiles/extras/postfix-tlsmgr index 5b49b7509..7d14f960a 100644 --- a/profiles/apparmor/profiles/extras/postfix-tlsmgr +++ b/profiles/apparmor/profiles/extras/postfix-tlsmgr @@ -14,12 +14,12 @@ abi , include -profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr { +profile postfix-tlsmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsmgr { include include include - /usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsmgr mrix, /var/spool/postfix/dev/urandom r, /{etc,var/lib}/postfix/prng_exch rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-tlsproxy b/profiles/apparmor/profiles/extras/postfix-tlsproxy new file mode 100644 index 000000000..2f94edb17 --- /dev/null +++ b/profiles/apparmor/profiles/extras/postfix-tlsproxy @@ -0,0 +1,27 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 pyllyukko +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile postfix-tlsproxy /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsproxy { + include + include + include + include + + capability dac_read_search, + + /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsproxy mrix, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor/profiles/extras/postfix-trivial-rewrite b/profiles/apparmor/profiles/extras/postfix-trivial-rewrite index 408aa6920..c6ec25b7b 100644 --- a/profiles/apparmor/profiles/extras/postfix-trivial-rewrite +++ b/profiles/apparmor/profiles/extras/postfix-trivial-rewrite @@ -14,14 +14,14 @@ abi , include -profile postfix-trivial-rewrite /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite { +profile postfix-trivial-rewrite /usr/lib{,exec}/postfix/{bin/,sbin/,}trivial-rewrite { include include include capability dac_read_search, - /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}trivial-rewrite mrix, /etc/{m,fs}tab r, /var/spool/postfix/pid/unix.rewrite rw, diff --git a/profiles/apparmor/profiles/extras/postfix-verify b/profiles/apparmor/profiles/extras/postfix-verify index ee4895874..4b4a33721 100644 --- a/profiles/apparmor/profiles/extras/postfix-verify +++ b/profiles/apparmor/profiles/extras/postfix-verify @@ -13,12 +13,12 @@ abi , include -profile postfix-verify /usr/lib/postfix/{bin/,sbin/,}verify { +profile postfix-verify /usr/lib{,exec}/postfix/{bin/,sbin/,}verify { include include include - /usr/lib/postfix/{bin/,sbin/,}verify mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}verify mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-virtual b/profiles/apparmor/profiles/extras/postfix-virtual index 59cf73a2a..b42df4ce4 100644 --- a/profiles/apparmor/profiles/extras/postfix-virtual +++ b/profiles/apparmor/profiles/extras/postfix-virtual @@ -13,12 +13,12 @@ abi , include -profile postfix-virtual /usr/lib/postfix/{bin/,sbin/,}virtual { +profile postfix-virtual /usr/lib{,exec}/postfix/{bin/,sbin/,}virtual { include include include - /usr/lib/postfix/{bin/,sbin/,}virtual mrix, + /usr/lib{,exec}/postfix/{bin/,sbin/,}virtual mrix, /var/spool/postfix/active/* rw, /var/spool/postfix/pid/unix.virtual rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postqueue b/profiles/apparmor/profiles/extras/usr.sbin.postqueue index 3a0dcf29d..dbaa49448 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postqueue +++ b/profiles/apparmor/profiles/extras/usr.sbin.postqueue @@ -24,7 +24,7 @@ include /etc/postfix r, /usr/sbin/postqueue rmix, - /usr/lib/postfix/{bin/,sbin/,}showq Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}showq Px, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/spool/postfix r, /var/spool/postfix/maildrop r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail index fc7148242..46ab43df9 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail @@ -46,10 +46,10 @@ include /root/dead.letter w, /root/.forward rw, /usr/kerberos/lib/lib*.so* mr, - /usr/lib/postfix/{bin/,sbin/,}master Px, - /usr/lib/postfix/{bin/,sbin/,}smtpd Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}master Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd Px, /usr/lib/postfix r, - /usr/lib/postfix/{bin/,sbin/,}showq Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}showq Px, /usr/lib/sasl2 r, /usr/lib/sasl2/* mr, /usr/lib/sasl r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix index f36e43227..efbe3bfb4 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix @@ -28,8 +28,8 @@ include /etc/postfix/postfix-script Px, @{PROC}/net/if_inet6 r, /usr/lib/postfix r, - /usr/lib/postfix/{bin/,sbin/,}master Px, - /usr/lib/postfix/{bin/,sbin/,}showq Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}master Px, + /usr/lib{,exec}/postfix/{bin/,sbin/,}showq Px, /usr/sbin/postalias Px, /usr/sbin/postdrop Px, /usr/sbin/postqueue Px,