Manual merge of SR 239282 by computersalat, with the exception of

adding /srv/maildirs/ to tunables/dovecot.

Also update upstream commits in apparmor.spec patch notes.



- fix problems with dovecot and managesieve
  * usr.lib.dovecot.managesieve-login: network inet6 stream
  * usr.lib.dovecot.managesieve:
    +#include <tunables/dovecot>
      /usr/lib/dovecot/managesieve {
       #include <abstractions/base>
    +  capability setgid,
    +  capability setuid,
    +  network inet stream,
    +  network inet6 stream,
    +  @{DOVECOT_MAILSTORE}/ rw,
    +  @{DOVECOT_MAILSTORE}/** rwkl,

- add #include <abstractions/wutmp> to usr.lib.dovecot.auth

OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=88

apparmor-profiles-dovecot-bnc851984.diff

@@ -143,13 +143,14 @@ Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
 ===================================================================
 --- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig	2011-07-14 14:57:57.000000000 +0200
 +++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login	2014-01-26 15:48:52.228261212 +0100
-@@ -1,4 +1,15 @@
+@@ -1,6 +1,19 @@
 -# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 +# ------------------------------------------------------------------
 +#
 +#    Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 +#    Copyright (C) 2009-2011 Canonical Ltd.
 +#    Copyright (C) 2013 Christian Boltz
++#    Copyright (C) 2014 Christian Wittmer
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of version 2 of the GNU General Public
@@ -159,7 +160,18 @@ Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
 +# vim: ft=apparmor
  
  #include <tunables/global>
++
  /usr/lib/dovecot/managesieve-login {
+   #include <abstractions/base>
+   #include <abstractions/ssl_certs>
+@@ -11,6 +24,7 @@
+   capability sys_chroot,
+ 
+   network inet stream,
++  network inet6 stream,
+ 
+   /usr/lib/dovecot/managesieve-login mr,
+   /{,var/}run/dovecot/login/ r,
 Index: profiles/apparmor.d/usr.lib.dovecot.pop3
 ===================================================================
 --- profiles/apparmor.d/usr.lib.dovecot.pop3.orig	2011-08-27 01:12:10.000000000 +0200

apparmor.changes

@@ -4,6 +4,27 @@ Thu Jul  3 14:45:14 UTC 2014 - ddiss@suse.com
 - add apparmor-profiles-clustered-samba.diff to permit clustered Samba
   access to CTDB socket and databases (bnc#885317)
 
+-------------------------------------------------------------------
+Wed Jul  2 10:30:43 UTC 2014 - chris@computersalat.de
+
+- fix problems with dovecot and managesieve
+  * usr.lib.dovecot.managesieve-login: network inet6 stream
+  * usr.lib.dovecot.managesieve:
+    +#include <tunables/dovecot>
+      /usr/lib/dovecot/managesieve {
+       #include <abstractions/base>
+    +  capability setgid,
+    +  capability setuid,
+    +  network inet stream,
+    +  network inet6 stream,
+    +  @{DOVECOT_MAILSTORE}/ rw,
+    +  @{DOVECOT_MAILSTORE}/** rwkl,
+
+-------------------------------------------------------------------
+Fri Jun 27 17:47:40 UTC 2014 - chris@computersalat.de
+
+- add #include <abstractions/wutmp> to usr.lib.dovecot.auth
+
 -------------------------------------------------------------------
 Tue Apr  1 16:06:24 UTC 2014 - lmuelle@suse.com
 

apparmor.spec

@@ -2,6 +2,7 @@
 # spec file for package apparmor
 #
 # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011-2014 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -106,7 +107,7 @@ Patch6:         apparmor-init.py-gsoc.diff
 # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
 Patch12:        apparmor-2.5.1-edirectory-profile
 
-# update dovecot profiles for dovecot 2.x (bnc#851984 - commited upstream trunk r2354, r2356, [updated patch] r2359)
+# update dovecot profiles for dovecot 2.x (bnc#851984 - commited upstream trunk r2354, r2356, [updated patch] r2359, [updated patch] r2549)
 Patch17:        apparmor-profiles-dovecot-bnc851984.diff
 
 # create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7
@@ -119,7 +120,7 @@ Patch22:        ruby-2_0-mkmf-destdir.patch
 # commited upstream trunk r2323, 2.8 branch r2110 - updated version commited trunk r2385, 2.8 r2123
 Patch23:        apparmor-2.8.2-nm-dnsmasq-config.patch
 
-# Permit clustered Samba access to CTDB socket and databases (bnc#885317)
+# Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch)
 Patch24:        apparmor-profiles-clustered-samba.diff
 
 Url:            https://launchpad.net/apparmor

usr.lib.dovecot.auth

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -16,6 +17,7 @@
   #include <abstractions/base>
   #include <abstractions/mysql>
   #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
 
   deny capability block_suspend,
 

usr.lib.dovecot.managesieve

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -10,10 +11,20 @@
 # vim: ft=apparmor
 
 #include <tunables/global>
+#include <tunables/dovecot>
 
 /usr/lib/dovecot/managesieve {
   #include <abstractions/base>
 
+  capability setgid,
+  capability setuid,
+
+  network inet stream,
+  network inet6 stream,
+
+  @{DOVECOT_MAILSTORE}/ rw,
+  @{DOVECOT_MAILSTORE}/** rwkl,
+
   /etc/dovecot/** r,
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/managesieve mrix,