Accepting request 214398 from home:cboltz

- add Recommends: net-tools to apparmor-utils (needed by aa-unconfined) - update usr.lib.dovecot.lmtp (add /proc/*/mounts, /tmp/dovecot.lmtp.*, /{var/,}run/dovecot/mounts, deny capability block_suspend) OBS-URL: https://build.opensuse.org/request/show/214398 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=73
2014-01-19 14:56:57 +00:00 · 2014-01-19 14:56:57 +00:00 · 25eca62b0a
commit 25eca62b0a
parent 645ce4a678
3 changed files with 15 additions and 1 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sun Jan 19 14:51:33 UTC 2014 - opensuse@cboltz.de
+
+- add Recommends: net-tools to apparmor-utils (needed by aa-unconfined)
+- update usr.lib.dovecot.lmtp (add /proc/*/mounts, /tmp/dovecot.lmtp.*, 
+  /{var/,}run/dovecot/mounts, deny capability block_suspend)
+
 -------------------------------------------------------------------
 Fri Jan 17 16:29:54 UTC 2014 - develop7@develop7.info

--- a/apparmor.spec
+++ b/apparmor.spec
@ -148,7 +148,7 @@ Patch21:        apparmor-utils-subdomain-compat
 # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
 Patch22:        ruby-2_0-mkmf-destdir.patch

-# dnsmasq - allow to read config created by recent NetworkManager
+# dnsmasq - allow to read config created by recent NetworkManager - commited upstream trunk r2323, 2.8 branch r2110
 Patch23:        apparmor-2.8.2-nm-dnsmasq-config.patch

 Url:            https://launchpad.net/apparmor
@ -406,6 +406,8 @@ Group:          Productivity/Security
 Requires:       libapparmor1 = %{version}
 Requires:       perl = %{perl_version}
 Requires:       perl-apparmor = %{version}
+# aa-unconfined needs netstat
+Recommends:     net-tools
 BuildArch:      noarch

 %description utils
--- a/usr.lib.dovecot.lmtp
+++ b/usr.lib.dovecot.lmtp
@ -15,6 +15,8 @@
 /usr/lib/dovecot/lmtp {
  #include <abstractions/base>

+  deny capability block_suspend,
+
  capability dac_override,
  capability setgid,
  capability setuid,
@ -23,7 +25,10 @@
  @{DOVECOT_MAILSTORE}/** rwkl,

  /etc/resolv.conf r,
+  /proc/*/mounts r,
+  /tmp/dovecot.lmtp.* rw,
  /usr/lib/dovecot/lmtp mr,
+  /{var/,}run/dovecot/mounts r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.lib.dovecot.lmtp>