[Pkg-sogo-maintainers] AppArmor profiles for SOGo
André Rodier
andre at rodier.me
Sun Nov 25 16:10:57 GMT 2018
Hello, dear Debian SOGo maintainers,
Thanks for your hard work, I am looking forward to SOGo4 in Debian buster.
I have created AppArmor profiles on Debian Stretch, you may want to integrated then into the packages
I have attached the profiles to the email, but the latest version is here:
https://github.com/progmaticltd/homebox/tree/dev-sogo/install/playbooks/roles/sogo/templates/apparmor.d
I should be able to add them myself, using git and pull requests, if you need.
Thanks,
André
--
André Rodier
HomeBox: https://github.com/progmaticltd/homebox
-------------- next part --------------
# Last Modified: Sat Nov 24 17:33:26 2018
#include <tunables/global>
/usr/sbin/sogod {
#include <abstractions/base>
#include <abstractions/nameservice>
# Configuration files
/etc/GNUstep/ r,
/etc/GNUstep/* r,
/etc/sogo/sogo.conf r,
/etc/ssl/openssl.cnf r,
/etc/ldap/ldap.conf r,
# I am not sure why SOGo need to read the attributes of the root folder…
audit allow / r,
# Executable and librairies
/usr/sbin/sogod mr,
/usr/lib/GNUstep/** mr,
/lib/x86_64-linux-gnu/ld-*.so mr,
# proc and run filesystem
/proc/@{pid}/cmdline r,
/proc/@{pid}/stat r,
/proc/@{pid}/status r,
/proc/@{pid}/mounts r,
/run/sogo/ r,
/run/sogo/** rwk,
# Web content
/usr/share/GNUstep/** r,
/usr/share/GNUstep/SOGo/** r,
# Logging
/var/log/sogo/sogo.log rwkl,
/var/log/sogo/sogo.log w,
# Temporary files
/var/spool/sogo/** rwk,
/tmp/ rwk,
/tmp/* rwk,
}
-------------- next part --------------
# Last Modified: Sun Nov 25 10:31:21 2018
#include <tunables/global>
/usr/sbin/sogo-tool {
#include <abstractions/base>
#include <abstractions/nameservice>
# Executable
/usr/sbin/sogo-tool mr,
/usr/lib/GNUstep/** mr,
# Configuration
/etc/GNUstep/GNUstep.conf r,
/etc/sogo/sogo.conf r,
/etc/timezone r,
# Not sure why this is necessary
audit allow / r,
# static content
/usr/share/GNUstep/** r,
# SSL
/etc/ssl/openssl.cnf r,
/lib/x86_64-linux-gnu/ld-*.so mr,
# prox and run filesystems
/proc/@{pid}/cmdline r,
/run/sogo/GNUstep/Defaults/ r,
/run/sogo/GNUstep/Defaults/** rw,
}
-------------- next part --------------
# Last Modified: Sun Nov 25 10:31:20 2018
#include <tunables/global>
/usr/sbin/sogo-backup flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/nameservice>
# Executables
/usr/sbin/sogo-backup r,
/usr/sbin/sogo-tool mr,
/usr/sbin/sogo-tool rix,
# system executables
/bin/bash ix,
/bin/cat mr,
/bin/cat rix,
/bin/date mr,
/bin/date rix,
/bin/mkdir mr,
/bin/mkdir rix,
/usr/bin/basename mr,
/usr/bin/basename rix,
/usr/bin/find mr,
/usr/bin/find rix,
/usr/bin/tty mr,
/usr/bin/tty rix,
# Executables
/usr/lib/x86_64-linux-gnu/gconv/*.so mr,
/usr/lib/GNUstep/** m,
# folders (for stats?)
/ r,
/usr/ r,
/usr/lib/ r,
/usr/sbin/ r,
/var/log/ r,
/usr/share/ r,
# Configuration files
/etc/GNUstep/GNUstep.conf r,
/etc/ldap/ldap.conf r,
/etc/sogo/sogo.conf r,
/etc/ssl/openssl.cnf r,
# proc and run filesystems
/proc/@{pid}/cmdline r,
/proc/filesystems r,
# Gnustep shared files
/usr/share/GNUstep/ r,
/usr/share/GNUstep/** r,
# backup folders
/var/backups/sogo/ r,
/var/backups/sogo/** r,
/var/backups/sogo/** rw,
}
-------------- next part --------------
# Last Modified: Sat Nov 24 17:33:25 2018
#include <tunables/global>
/usr/sbin/sogo-ealarms-notify {
#include <abstractions/base>
#include <abstractions/nameservice>
# Configuration file access
/etc/GNUstep/GNUstep.conf r,
/etc/sogo/sogo.conf r,
/etc/timezone r,
/etc/ssl/openssl.cnf r,
# I am not sure why SOGo need to read the attributes of the root folder…
audit allow / r,
# Resources access
/usr/share/GNUstep/** r,
# Binary files
/usr/sbin/sogo-ealarms-notify mr,
/lib/x86_64-linux-gnu/ld-*.so mr,
/usr/lib/GNUstep/** m,
/usr/lib/GNUstep/** mr,
# proc and run filesystem
/proc/@{pid}/cmdline r,
/run/sogo/GNUstep/Defaults/ r,
/run/sogo/GNUstep/Defaults/** r,
/run/sogo/GNUstep/Defaults/** w,
}
-------------- next part --------------
# Last Modified: Sat Nov 24 20:52:07 2018
#include <tunables/global>
/usr/sbin/sogo-slapd-sockd {
#include <abstractions/base>
#include <abstractions/nameservice>
# main executable and libs
/usr/sbin/sogo-slapd-sockd mr,
/lib/x86_64-linux-gnu/ld-*.so mr,
# configuration
/etc/GNUstep/GNUstep.conf r,
/etc/sogo/sogo.conf r,
# gnustep configuration
/usr/share/GNUstep/** r,
# proc and run filesystem
/proc/@{pid}/cmdline r,
/proc/@{pid}/stat r,
/run/sogo/sogo-sockd.sock rwkl,
}
More information about the Pkg-sogo-maintainers
mailing list