[Bug 757271] New: No apparmor profiles for Dovecot 2.0
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c0 Summary: No apparmor profiles for Dovecot 2.0 Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: openSUSE 12.1 Status: NEW Severity: Enhancement Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: suse+build@de-korte.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0 The apparmor profiles seem to be generated for a Dovecot 1.2 installation. Since openSUSE 12.1 ships with Dovecot 2.0 as well, the lack of a working apparmor profile is unexpected. There are quite a number of changes to the internals of Dovecot between versions 1.2 and 2.0, so a profile for the first, will not work for the latter (and vice-versa). It would be really useful if two versions of a program are shipped, either both or neither have an apparmor profile (it took me a while to figure out what the problem was). Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c1
--- Comment #1 from Arjen de Korte
It would be really useful if two versions of a program are shipped, either both or neither have an apparmor profile (it took me a while to figure out what the problem was).
Or even better, profiles should not be bundled together, but rather be distributed with the package. If the number of profiles increases, it will also become impractical to bundle them all together. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c2
Christian Boltz
Or even better, profiles should not be bundled together, but rather be distributed with the package. If the number of profiles increases, it will also become impractical to bundle them all together.
It might look so at the first view, but for various reasons bundling them in the apparmor-profiles package is the easier to handle solution. (One of the reasons is that all profiles come with the upstream AppArmor tarball.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c3
Arjen de Korte
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c4
--- Comment #4 from Arjen de Korte
My mailservers still use courier for historical reasons, therefore I'll need some help ;-)
Apparently, you don't have many users connecting through webmail. Dovecot is *much* better for non-connected IMAP clients than Courier (which I used before too).
Can you provide your audit.log and (optionally) a profile that also works for dovecot 2.0? (See http://en.opensuse.org/openSUSE:Bugreport_AppArmor for a quick howto.)
The audit.log contains a lot of information I'm not willing to disclose. Providing this, would mean stripping lots of user data and I'm not sure I want to do that. Starting Dovecot and *one* user connecting already generates 10k+ line in audit.log, with /usr/sbin/dovecot running in complain mode. See above the actual profiles in use now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c5
--- Comment #5 from Arjen de Korte
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c6
--- Comment #6 from Arjen de Korte
It might look so at the first view, but for various reasons bundling them in the apparmor-profiles package is the easier to handle solution. (One of the reasons is that all profiles come with the upstream AppArmor tarball.)
That may be a disaster waiting to happen. This means that if a patch is released for a security problem in Dovecot, there is no guarantee whatsoever that the AppArmor profiles will be updated if necessary. Apparently, apparmor-profiles is not part of the release process of a package (otherwise the missing Dovecot 2.0 profiles would have been spotted earlier on). I have been blissfully unaware of this so far, but now I'm starting to doubt if the added security AppArmor provides, is worth the risk of breaking the package it is supposed to protect. I've already seen several occasions in the past few months, where Dovecot stopped working because of insufficient rights granted to it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c7
Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c8
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c9
Christian Boltz
That may be a disaster waiting to happen. This means that if a patch is released for a security problem in Dovecot, there is no guarantee whatsoever that the AppArmor profiles will be updated if necessary. Apparently, apparmor-profiles is not part of the release process of a package (otherwise the missing Dovecot 2.0 profiles would have been spotted earlier on).
Technically, they are separate packages, yes. OTOH I doubt that having them in the same package would change much. The real issue is _testing_, which some package maintainers obviously don't do too much. I'm also testing as much as possible, but I can't test all profiles myself.
I have been blissfully unaware of this so far, but now I'm starting to doubt if the added security AppArmor provides, is worth the risk of breaking the package it is supposed to protect.
I'd say yes. You'll notice it quickly if a package is "broken" by AppArmor, but it might take some time (worst case: some days or even weeks) to notice if you were hacked if the hacker knows how to hide himself. Besides that, updating the AppArmor profile is much easier than cleaning up behind a hacker ;-)
I've already seen several occasions in the past few months, where Dovecot stopped working because of insufficient rights granted to it.
Then I could argue that you were late with your bugreport ;-) but the good thing is that you reported it. We are on the way to get it fixed :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c10
Arjen de Korte
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c11
--- Comment #11 from Arjen de Korte
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c12
--- Comment #12 from Christian Boltz
After setting the profiles to 'enforce' mode, dovecot failed to start. I couldn't get the thing to work again. Even after a couple of rounds of setting back to 'complain' mode and running 'aa-logprof'.
I'll check the audit.log - thanks for providing it.
I'm done with AppArmor. In a system where dovecot is mainly serving a webmail through localhost, it really isn't worth the trouble for me trying to get the profiles up-to-date.
OK, this limits the number of possible attackers ;-)
Sadly there is no way to exclude the dovecot profiles and keep the others, so I have removed AppArmor now (the lack of granularity here is a showstopper for me).
There is a way: run aa-disable /usr/sbin/dovecot or if you want to disable all dovecot-related profiles cd /etc/apparmor.d && aa-disable *dove* This will create a symlink in /etc/apparmor.d/disable which prevents loading of the profile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271
https://bugzilla.novell.com/show_bug.cgi?id=757271#c13
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com