https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c1 --- Comment #1 from Christian Boltz 2013-11-23 14:20:24 CET --- (In reply to comment #1)

which hinted me at AppArmor denying access to "doveconf". Using the appropriate YaST section, I removed all profiles referring to dovecot. After that, dovecot started and worked as expected. I wondered whether reinstalling the AppArmor profiles would break dovecot again and tried:

zypper in -f apparmor-profiles

and after that

systemctl restart dovecot.service

With the fresh profiles from the repository, dovecot still works.

Do you have any *.rpmnew or *.rpmorig in /etc/apparmor.d/ ? That would explain why deleting and re-installing the dovecot profiles worked. BTW: Did you reload the profiles after re-installing the apparmor-profiles package ("rcapparmor reload")? IIRC the package doesn't do that automatically. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c3 --- Comment #3 from Christian Boltz 2013-11-23 23:20:29 CET --- Created an attachment (id=568826) --> (http://bugzilla.novell.com/attachment.cgi?id=568826) profiles for dovecot2 (probably not complete) (In reply to comment #2)

I did actually not reload the profiles explicitly and had to discover that my "solution" to reinstall the profiles, would have prevented dovecot from working on the next reboot.

OK, at least now I know that the profile really needs an update. After checking the bzr log, that's not too surprising - the last change was two years ago, and the profile is probably only working for dovecot 1.x. The attached tarball contains profiles I use for dovecot 2.x. They are probably not complete yet (that's also the reason why I didn't commit them yet), but might be better than the shipped profiles. Can you please install them in /etc/apparmor.d/ and switch them to complain mode (aa-complain /etc/apparmor.d/*dove*)? Complain mode will allow everything and log what the profiles would not allow. Then check your log for needed profile updates, and attach the log to this bugreport. "Log" can mean: - /var/log/audit/audit.log if auditd is running, otherwise - grep -i apparmor /var/log/messages if you have a syslog daemon running - journalctl | grep -i apparmor > log if you only log to journal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c4 --- Comment #4 from Franz Häuslschmid 2013-11-24 08:49:08 UTC --- Created an attachment (id=568829) --> (http://bugzilla.novell.com/attachment.cgi?id=568829) grep -i apparmor /var/log/messages Installed the profile files and reloaded AppArmor. After that, browsed partly through my mail tree on the IMAP server provided by dovecot. I didn't experience any problems. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c6 --- Comment #6 from Franz Häuslschmid 2013-11-24 16:48:41 UTC --- (In reply to comment #5) [...]

If you notice more apparmor="ALLOWED" (or apparmor="DENIED") log events, please tell me ;-)

I appreciate your help and slowly, I start to understand AppArmor a little better. In fact, I still get a line like this: Nov 24 17:42:39 odysseus kernel: type=1400 audit(1385311359.970:754): apparmor="DENIED" operation="capable" parent=5160 profile="/usr/lib/dovecot/auth" pid=5209 comm="auth" pid=5209 comm="auth" capability=29 capname="audit_write" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c8 --- Comment #8 from Franz Häuslschmid 2013-11-25 18:00:42 UTC --- Created an attachment (id=569014) --> (http://bugzilla.novell.com/attachment.cgi?id=569014) AppArmor configuration files for dovecot after modification Works for me now \o/ I attached my current set of configuration files for dovecot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c10 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|lukrez.forums@gmx.net |james.knott@rogers.com --- Comment #10 from Christian Boltz 2013-11-27 12:57:31 CET --- (In reply to comment #9)

I installed that working patch

Just to be sure - you mean the profiles from comment #8, right?

and while my dovecot server is running and I can connect to it, only the Inbox is available. I can't access any other folder.

If you provide the AppArmor log, I can give you a working profile ;-) You might also want to switch the profiles to complain mode (which means to allow everything and log what is missing from the profiles). Nevertheless, please provide the log ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c12 --- Comment #12 from Christian Boltz 2013-11-27 18:42:11 CET --- (In reply to comment #11)

Where is that log? There's nothing in /var/log/apparmor?

"Log" can mean: - /var/log/audit/audit.log if auditd is running, otherwise - grep -i apparmor /var/log/messages if you have a syslog daemon running - journalctl | grep -i apparmor > log if you only log to journal - dmesg | grep -i apparmor > log is another option, but lists only the most recent messages Sorry for listing that many options, but things are more interesting[tm] nowadays ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c14 --- Comment #14 from Christian Boltz 2013-11-27 20:17:02 CET --- You have an unusual location for your mail (/home/imap/james.knott/mail/) which can't be covered by the default profile. You'll have to add /home/imap/** klrw, (that's the easiest way if /home/imap contains only mailboxes managed by dovecot) or the more strict /home/imap/*/mail/ rw, /home/imap/*/mail/** klrw, to the usr.lib.dovecot.imap profile (or, better, to local/usr.lib.dovecot.imap) (On the long time, I'll introduce a configuration option so that you have one place in AppArmor where you can set your mail directories.) If you still see AppArmor messages containing ALLOWED or DENIED after this change (and "rcapparmor reload"), please tell me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c16 --- Comment #16 from Christian Boltz 2013-11-27 22:19:38 CET --- (In reply to comment #15)

After making that change, I can no longer connect to the server. Also, I have been using that directory for years and it hasn't been a problem until now.

Everything in your log should be covered by adding /home/imap/** klrw, to the (local/)usr.lib.dovecot.imap profile and running "rcapparmor reload", which I already recommended in my previous comment. Besides that, I don't see anything on the AppArmor side (and the profile is in complain mode, which means it doesn't block anything). What does the mail / dovecot log say about the problem? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c18 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #568826|0 |1 is obsolete| | Attachment #568829|0 |1 is obsolete| | Attachment #569014|0 |1 is obsolete| | Attachment #569377|0 |1 is obsolete| | Attachment #569391|0 |1 is obsolete| | --- Comment #18 from Christian Boltz 2013-12-30 22:09:37 CET --- Created an attachment (id=573030) --> (http://bugzilla.novell.com/attachment.cgi?id=573030) updated set of profiles This tarball contains an updated set of dovecot profiles. It shouldn't have "real" changes over the last set of profiles, but got some cleanup. The most important change is the introduction of tunables/dovecot where you can set the directory you use as mailstore for all profiles. I'll include those profiles in the next update for 13.1 (and also factory, of course), so please test them and tell me if everything works. I'm also marking all older attachments as obsolete to make clear that this is the latest set of profiles, and that all logs attached to this bug until now were honored. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c20 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|james.knott@rogers.com | --- Comment #20 from Christian Boltz 2013-12-31 19:14:37 CET --- (In reply to comment #19)

i tried this profile, but still get errors trying to get dovecot running. Especially running doveconf fails:

Hmm, that's interesting - especially because I don't have a stand-alone profile for doveconf in the tarball. Maybe it's a leftover from some earlier trials? (Anyway, please attach it so that I can see the content.)

I'm not yet familiar with apparmor, so i cannot deliver a patch atm.

Edit the doveconf profile (probably usr.bin.doveconf) and add /usr/lib/dovecot/managesieve Px, somewhere in the middle. As an alternative, run aa-logprof to update the profile in interactive mode. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c22 --- Comment #22 from Franz Häuslschmid 2014-01-01 10:39:17 UTC --- (In reply to comment #18)

Created an attachment (id=573030) --> (http://bugzilla.novell.com/attachment.cgi?id=573030) [details] updated set of profiles

Works for me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c24 --- Comment #24 from flo gleixner 2014-01-02 18:49:48 UTC --- While trying to configure dovecot i got some more apparmor errors. I needed to add: In usr.lib.dovecot.dovecot-lda: /var/run/dovecot/mounts r, /proc/*/mounts r, In usr.lib.dovecot.auth /etc/krb5.keytab.mail rk, /var/tmp/imap_* rw, But the /etc/krb5.keytab.mail should probably go into tunables or can be omitted. I didn't want to use standard kerberos keytab /etc/krb5.keytab due to filesystem permissions - but i have to check if i can use standard keytab file somehow. I did only try to authenticate via imap. Probably /var/tmp/pop_* or smtp_* are needed too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c26 --- Comment #26 from flo gleixner 2014-01-03 00:50:31 UTC --- I tested pop and sieve kerberos logins, and we need: /var/tmp/pop_* rw, /var/tmp/sieve_* rw, I tested with "owner" prepended, but it did not work. I will try with smtp tomorrow, when i got postfix/dovecot-sasl with kerberos working. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c28 --- Comment #28 from Christian Boltz 2014-01-04 13:12:59 CET --- (In reply to comment #27)

OK, tested with postfix and dovecot as sasl.

Thanks for the updates! Updated packages are just building in security:apparmor :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c30 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #30 from Christian Boltz 2014-01-19 16:18:36 CET --- SR 214402 sent to openSUSE:13.1:Update -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.