[Pkg-giraffe-maintainers] Bug#933886: AppArmor configuration doesn't cover userscripts

[Martin Wolf]

Package: kopano-server
Version: 8.7.0-3

The default AppArmor configuration file
/etc/apparmor.d/usr.sbin.kopano-server doesn't cover the default
userscripts in /usr/lib/kopano/userscripts/*, which are required to e.g.
create or delete a new user (or a company/tenancy), thus basically
everything. The AppArmor configuration however covers individual
userscripts in /etc/kopano/userscripts/* somehow, while
/etc/kopano/userscripts/* doesn't exist by default and
/usr/lib/kopano/userscripts/* is referenced in /etc/kopano/server.cfg as
default.

Adding "  /usr/lib/kopano/userscripts/* Cxr -> kopano_userscripts," to
/etc/apparmor.d/usr.sbin.kopano-server seems to help.

Error without the modified AppArmor policy:

Aug  4 22:48:45 kernel: [ 1294.408531] audit: type=1400
audit(1564951725.740:75): apparmor="DENIED" operation="exec"
profile="/usr/sbin/kopano-server"
name="/usr/lib/kopano/userscripts/createcompany" pid=2333
comm=7A2D733A20 requested_mask="x" denied_mask="x" fsuid=110 ouid=0
Aug  4 22:48:45 kernel: [ 1294.460467] audit: type=1400
audit(1564951725.792:76): apparmor="DENIED" operation="exec"
profile="/usr/sbin/kopano-server"
name="/usr/lib/kopano/userscripts/createuser" pid=2335 comm=7A2D733A20
requested_mask="x" denied_mask="x" fsuid=110 ouid=0

Linux 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64
GNU/Linux