diff --git a/apparmor.changes b/apparmor.changes index 13e6448..85b9af0 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sun Jan 19 14:51:33 UTC 2014 - opensuse@cboltz.de + +- add Recommends: net-tools to apparmor-utils (needed by aa-unconfined) +- update usr.lib.dovecot.lmtp (add /proc/*/mounts, /tmp/dovecot.lmtp.*, + /{var/,}run/dovecot/mounts, deny capability block_suspend) + ------------------------------------------------------------------- Fri Jan 17 16:29:54 UTC 2014 - develop7@develop7.info diff --git a/apparmor.spec b/apparmor.spec index 9ebadfb..fc05251 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -148,7 +148,7 @@ Patch21: apparmor-utils-subdomain-compat # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de Patch22: ruby-2_0-mkmf-destdir.patch -# dnsmasq - allow to read config created by recent NetworkManager +# dnsmasq - allow to read config created by recent NetworkManager - commited upstream trunk r2323, 2.8 branch r2110 Patch23: apparmor-2.8.2-nm-dnsmasq-config.patch Url: https://launchpad.net/apparmor @@ -406,6 +406,8 @@ Group: Productivity/Security Requires: libapparmor1 = %{version} Requires: perl = %{perl_version} Requires: perl-apparmor = %{version} +# aa-unconfined needs netstat +Recommends: net-tools BuildArch: noarch %description utils diff --git a/usr.lib.dovecot.lmtp b/usr.lib.dovecot.lmtp index e5a6ea4..b5d3df1 100644 --- a/usr.lib.dovecot.lmtp +++ b/usr.lib.dovecot.lmtp @@ -15,6 +15,8 @@ /usr/lib/dovecot/lmtp { #include + deny capability block_suspend, + capability dac_override, capability setgid, capability setuid, @@ -23,7 +25,10 @@ @{DOVECOT_MAILSTORE}/** rwkl, /etc/resolv.conf r, + /proc/*/mounts r, + /tmp/dovecot.lmtp.* rw, /usr/lib/dovecot/lmtp mr, + /{var/,}run/dovecot/mounts r, # Site-specific additions and overrides. See local/README for details. #include