[Bug 851984] New: After update (zypper dup) AppArmor profiles for dovecot have to be manually removed to make dovecot work
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c0 Summary: After update (zypper dup) AppArmor profiles for dovecot have to be manually removed to make dovecot work Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Minor Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: lukrez.forums@gmx.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 After having upgraded from 12.3 to 13.1 using the "System Upgrade" method described in http://en.opensuse.org/SDB:System_upgrade, I noticed, that dovecot was not available, as it failed to start successfully. The journal gave me this: Nov 22 15:21:29 odysseus systemd[1]: Starting Dovecot IMAP/POP3 email server... Nov 22 15:21:29 odysseus systemd[1]: Started Dovecot IMAP/POP3 email server. Nov 22 15:21:29 odysseus systemd[1]: dovecot.service: main process exited, code=exited, status=84/n/a Nov 22 15:21:29 odysseus systemd[1]: Unit dovecot.service entered failed state. Nov 22 15:21:29 odysseus kernel: type=1400 audit(1385130089.675:34): apparmor="DENIED" operation="exec" parent=1 profile="/usr/sbin/dovecot" name="/usr/bin/doveconf" pid=8779 comm="dovecot" requested_mask="x" denied_..."x" fsuid=0 ouid=0 Nov 22 15:21:29 odysseus dovecot[8779]: Fatal: execv(/usr/bin/doveconf) failed: Permission denied which hinted me at AppArmor denying access to "doveconf". Using the appropriate YaST section, I removed all profiles referring to dovecot. After that, dovecot started and worked as expected. I wondered whether reinstalling the AppArmor profiles would break dovecot again and tried: zypper in -f apparmor-profiles and after that systemctl restart dovecot.service With the fresh profiles from the repository, dovecot still works. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c1
--- Comment #1 from Christian Boltz
which hinted me at AppArmor denying access to "doveconf". Using the appropriate YaST section, I removed all profiles referring to dovecot. After that, dovecot started and worked as expected. I wondered whether reinstalling the AppArmor profiles would break dovecot again and tried:
zypper in -f apparmor-profiles
and after that
systemctl restart dovecot.service
With the fresh profiles from the repository, dovecot still works.
Do you have any *.rpmnew or *.rpmorig in /etc/apparmor.d/ ? That would explain why deleting and re-installing the dovecot profiles worked. BTW: Did you reload the profiles after re-installing the apparmor-profiles package ("rcapparmor reload")? IIRC the package doesn't do that automatically. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c2
--- Comment #2 from Franz Häuslschmid
(In reply to comment #1)
which hinted me at AppArmor denying access to "doveconf". Using the appropriate YaST section, I removed all profiles referring to dovecot. After that, dovecot started and worked as expected. I wondered whether reinstalling the AppArmor profiles would break dovecot again and tried:
zypper in -f apparmor-profiles
and after that
systemctl restart dovecot.service
With the fresh profiles from the repository, dovecot still works.
Do you have any *.rpmnew or *.rpmorig in /etc/apparmor.d/ ? That would explain why deleting and re-installing the dovecot profiles worked.
BTW: Did you reload the profiles after re-installing the apparmor-profiles package ("rcapparmor reload")? IIRC the package doesn't do that automatically.
Thank you for your comment. I did actually not reload the profiles explicitly and had to discover that my "solution" to reinstall the profiles, would have prevented dovecot from working on the next reboot. For me, the AppArmor profiles for dovecot in 13.1 are not working. Now I have removed again the profiles concerning dovecot and it works again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c3
--- Comment #3 from Christian Boltz
I did actually not reload the profiles explicitly and had to discover that my "solution" to reinstall the profiles, would have prevented dovecot from working on the next reboot.
OK, at least now I know that the profile really needs an update. After checking the bzr log, that's not too surprising - the last change was two years ago, and the profile is probably only working for dovecot 1.x. The attached tarball contains profiles I use for dovecot 2.x. They are probably not complete yet (that's also the reason why I didn't commit them yet), but might be better than the shipped profiles. Can you please install them in /etc/apparmor.d/ and switch them to complain mode (aa-complain /etc/apparmor.d/*dove*)? Complain mode will allow everything and log what the profiles would not allow. Then check your log for needed profile updates, and attach the log to this bugreport. "Log" can mean: - /var/log/audit/audit.log if auditd is running, otherwise - grep -i apparmor /var/log/messages if you have a syslog daemon running - journalctl | grep -i apparmor > log if you only log to journal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c4
--- Comment #4 from Franz Häuslschmid
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c5
--- Comment #5 from Christian Boltz
Installed the profile files and reloaded AppArmor. After that, browsed partly through my mail tree on the IMAP server provided by dovecot. I didn't experience any problems.
That's because you switched the profiles to complain mode. Howewer, your log
contains some apparmor="ALLOWED" events (which would have been blocked in
enforce mode).
You'll need the following profile additions/changes:
--- usr.lib.dovecot.auth 2013-11-23 22:56:12.424309053 +0100
+++ usr.lib.dovecot.auth 2013-11-24 12:45:34.752229423 +0100
@@ -2,6 +2,7 @@
#include
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c6
--- Comment #6 from Franz Häuslschmid
If you notice more apparmor="ALLOWED" (or apparmor="DENIED") log events, please tell me ;-)
I appreciate your help and slowly, I start to understand AppArmor a little better. In fact, I still get a line like this: Nov 24 17:42:39 odysseus kernel: type=1400 audit(1385311359.970:754): apparmor="DENIED" operation="capable" parent=5160 profile="/usr/lib/dovecot/auth" pid=5209 comm="auth" pid=5209 comm="auth" capability=29 capname="audit_write" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c7
--- Comment #7 from Christian Boltz
I appreciate your help and slowly, I start to understand AppArmor a little better.
:-) The openSUSE documentation about AppArmor is quite good (doc.opensuse.org -> Security Guide). For getting started, you can also have a look at my slides on http://blog.cboltz.de/archives/65-openSUSE-conference.html
Nov 24 17:42:39 odysseus kernel: type=1400 audit(1385311359.970:754): apparmor="DENIED" operation="capable" parent=5160 profile="/usr/lib/dovecot/auth" pid=5209 comm="auth" pid=5209 comm="auth" capability=29 capname="audit_write"
You need --- usr.lib.dovecot.auth 2013-11-24 12:45:34.752229423 +0100 +++usr.lib.dovecot.auth 2013-11-24 20:03:03.826563592 +0100 @@ -9,6 +9,7 @@ deny capability block_suspend, + capability audit_write, capability setgid, capability setuid, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c8
--- Comment #8 from Franz Häuslschmid
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c9
James Knott
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c10
Christian Boltz
I installed that working patch
Just to be sure - you mean the profiles from comment #8, right?
and while my dovecot server is running and I can connect to it, only the Inbox is available. I can't access any other folder.
If you provide the AppArmor log, I can give you a working profile ;-) You might also want to switch the profiles to complain mode (which means to allow everything and log what is missing from the profiles). Nevertheless, please provide the log ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c11
--- Comment #11 from James Knott
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c12
--- Comment #12 from Christian Boltz
Where is that log? There's nothing in /var/log/apparmor?
"Log" can mean: - /var/log/audit/audit.log if auditd is running, otherwise - grep -i apparmor /var/log/messages if you have a syslog daemon running - journalctl | grep -i apparmor > log if you only log to journal - dmesg | grep -i apparmor > log is another option, but lists only the most recent messages Sorry for listing that many options, but things are more interesting[tm] nowadays ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c13
--- Comment #13 from James Knott
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c14
--- Comment #14 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c15
--- Comment #15 from James Knott
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c16
--- Comment #16 from Christian Boltz
After making that change, I can no longer connect to the server. Also, I have been using that directory for years and it hasn't been a problem until now.
Everything in your log should be covered by adding /home/imap/** klrw, to the (local/)usr.lib.dovecot.imap profile and running "rcapparmor reload", which I already recommended in my previous comment. Besides that, I don't see anything on the AppArmor side (and the profile is in complain mode, which means it doesn't block anything). What does the mail / dovecot log say about the problem? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c17
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c18
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c19
flo gleixner
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c20
Christian Boltz
i tried this profile, but still get errors trying to get dovecot running. Especially running doveconf fails:
Hmm, that's interesting - especially because I don't have a stand-alone profile for doveconf in the tarball. Maybe it's a leftover from some earlier trials? (Anyway, please attach it so that I can see the content.)
I'm not yet familiar with apparmor, so i cannot deliver a patch atm.
Edit the doveconf profile (probably usr.bin.doveconf) and add /usr/lib/dovecot/managesieve Px, somewhere in the middle. As an alternative, run aa-logprof to update the profile in interactive mode. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c21
--- Comment #21 from flo gleixner
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c22
--- Comment #22 from Franz Häuslschmid
Created an attachment (id=573030) --> (http://bugzilla.novell.com/attachment.cgi?id=573030) [details] updated set of profiles
Works for me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c23
--- Comment #23 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c24
--- Comment #24 from flo gleixner
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c25
Christian Boltz
In usr.lib.dovecot.dovecot-lda:
/var/run/dovecot/mounts r, /proc/*/mounts r,
Thanks, added.
In usr.lib.dovecot.auth
/etc/krb5.keytab.mail rk, /var/tmp/imap_* rw,
But the /etc/krb5.keytab.mail should probably go into tunables or can be omitted. I didn't want to use standard kerberos keytab /etc/krb5.keytab due to filesystem permissions
You can add such things to local/usr.lib.dovecot.auth ;-) (tunables/ is used for setting variables, see for example tunables/dovecot)
I did only try to authenticate via imap. Probably /var/tmp/pop_* or smtp_* are needed too.
Can you please test this and report back? I'm using MySQL auth (which doesn't need anything in /var/tmp/) and don't know anything about kerberos ;-) Additional question: does it still work if change /var/tmp/imap_* rw, to owner /var/tmp/imap_* rw, ? This will allow access only to files created by the same user, which is an additional safety net in directories like /var/tmp/ where everybody has write access ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c26
--- Comment #26 from flo gleixner
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c27
flo gleixner
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c28
--- Comment #28 from Christian Boltz
OK, tested with postfix and dovecot as sasl.
Thanks for the updates! Updated packages are just building in security:apparmor :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c29
--- Comment #29 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c30
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851984
https://bugzilla.novell.com/show_bug.cgi?id=851984#c31
--- Comment #31 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com