[opensuse] Apparmor and dovecot clash in Leap 42.1
In the dovecot log on Leap 42.1 I see messages like: imap(freek): Error: opendir(/home/freek/Maildir) failed: Permission denied (euid=1000(freek) egid=100(users) UNIX perms appear ok (ACL/MAC wrong?)) After some digging I found that this is a problem caused by improper apparmor rules for dovecot. Apparently apparmor does not allow access to the Maildir directory tree by dovecot, which is obviously needed to access e-mail in that directory. So IMAP is not usable any more. Any idea what rule should be added? Made a bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=967528 -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 05:47 AM, Freek de Kruijf wrote:
In the dovecot log on Leap 42.1 I see messages like: imap(freek): Error: opendir(/home/freek/Maildir) failed: Permission denied (euid=1000(freek) egid=100(users) UNIX perms appear ok (ACL/MAC wrong?))
After some digging I found that this is a problem caused by improper apparmor rules for dovecot. Apparently apparmor does not allow access to the Maildir directory tree by dovecot, which is obviously needed to access e-mail in that directory. So IMAP is not usable any more. Any idea what rule should be added?
Made a bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=967528
*sigh* This was the problem when I installed on 12.2 as well! See, for example https://forums.opensuse.org/showthread.php/497085-Dovecot-2-1-17-in-opensuse... At the time I used the apparmour utilities to scan the log files and build the necessary changes. Try "man aa-logprof" to start with. And its not just dovecot! Oh, look! ls --width=72 /etc/apparmor.d/local/ bin.ping usr.lib.dovecot.managesieve-login README usr.lib.dovecot.pop3 sbin.klogd usr.lib.dovecot.pop3-login sbin.syslogd usr.lib.dovecot.ssl-params sbin.syslog-ng usr.sbin.avahi-daemon usr.lib.apache2.mpm-prefork.apache2 usr.sbin.dnsmasq usr.lib.dovecot.anvil usr.sbin.dovecot usr.lib.dovecot.auth usr.sbin.identd usr.lib.dovecot.config usr.sbin.mdnsd usr.lib.dovecot.deliver usr.sbin.nmbd usr.lib.dovecot.dict usr.sbin.nscd usr.lib.dovecot.dovecot-auth usr.sbin.ntpd usr.lib.dovecot.dovecot-lda usr.sbin.smbd usr.lib.dovecot.imap usr.sbin.smbd-shares usr.lib.dovecot.imap-login usr.sbin.smbd-shares.rpmsave usr.lib.dovecot.lmtp usr.sbin.smbldap-useradd usr.lib.dovecot.log usr.sbin.traceroute usr.lib.dovecot.managesieve usr.sbin.winbindd and more /etc/apparmor.d/local/README # This directory is intended to contain profile additions and # overrides for inclusion by distributed profiles to aid in # packaging AppArmor for distributions. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 02:24 PM, Anton Aylward wrote:
On 02/20/2016 05:47 AM, Freek de Kruijf wrote:
In the dovecot log on Leap 42.1 I see messages like: imap(freek): Error: opendir(/home/freek/Maildir) failed: Permission denied (euid=1000(freek) egid=100(users) UNIX perms appear ok (ACL/MAC wrong?))
After some digging I found that this is a problem caused by improper apparmor rules for dovecot. Apparently apparmor does not allow access to the Maildir directory tree by dovecot, which is obviously needed to access e-mail in that directory. So IMAP is not usable any more. Any idea what rule should be added?
Made a bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=967528
*sigh* This was the problem when I installed on 12.2 as well!
Notice /etc/apparmor.d/tunables/dovecot @{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/ and /etc/apparmor.d/abstractions/user-mail owner @{HOME}/Maildir/ r, owner @{HOME}/Maildir/** rwl, The later I think is not included by the apparmor profiles. Instead, I see, for instance in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, The above is in a test install of 42.1 If you change something, do it in /etc/apparmor.d/local/* (means undoing the changes aa-logprof does) -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op zaterdag 20 februari 2016 14:41:30 schreef Carlos E. R.:
On 02/20/2016 02:24 PM, Anton Aylward wrote:
On 02/20/2016 05:47 AM, Freek de Kruijf wrote:
In the dovecot log on Leap 42.1 I see messages like: imap(freek): Error: opendir(/home/freek/Maildir) failed: Permission denied (euid=1000(freek) egid=100(users) UNIX perms appear ok (ACL/MAC wrong?))
After some digging I found that this is a problem caused by improper apparmor rules for dovecot. Apparently apparmor does not allow access to the Maildir directory tree by dovecot, which is obviously needed to access e-mail in that directory. So IMAP is not usable any more. Any idea what rule should be added?
Made a bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=967528
*sigh* This was the problem when I installed on 12.2 as well!
Notice /etc/apparmor.d/tunables/dovecot
@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/
and
/etc/apparmor.d/abstractions/user-mail
owner @{HOME}/Maildir/ r, owner @{HOME}/Maildir/** rwl,
The later I think is not included by the apparmor profiles. Instead, I see, for instance in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda
@{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl,
The above is in a test install of 42.1
If you change something, do it in /etc/apparmor.d/local/* (means undoing the changes aa-logprof does)
The problem is most likely caused by a symbolic link for /home/user/Maildir to /somename/user/Maildir .So I believe apparmor does not honor symbolic links. -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-21 15:37, Freek de Kruijf wrote:
The problem is most likely caused by a symbolic link for /home/user/Maildir to /somename/user/Maildir .So I believe apparmor does not honor symbolic links.
It doesn't, certainly. I would be a large security problem. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
See also bug reports going back a long way, and not just for Suse https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732184 https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/997269 and fixes easily found by googling http://rpm.pbone.net/index.php3/stat/4/idpl/31468861/dir/opensuse/com/apparm... <quote> apparmor-profiles rpm build for : OpenSuSE. For other distributions click apparmor-profiles. Name : apparmor-profiles Version : 2.10 Vendor : openSUSE Release : 3.1 Date : 2015-10-13 15:30:41 Group : Productivity/Security Source RPM : apparmor-2.10-3.1.src.rpm Size : 0.17 MB Packager : http://bugs_opensuse_org Summary : AppArmor profiles that are loaded into the apparmor kernel module Description : Base profiles. AppArmor is a file and network mandatory access control mechanism. AppArmor confines processes to the resources allowed by the systems administrator and can constrain the scope of potential security vulnerabilities. This package is part of a suite of tools that used to be named SubDomain. RPM found in directory: /mirror/ftp.opensuse.org/ports/aarch64/distribution/leap/42.1-Current/repo/oss/suse/noarch </quote> Please note that last line! -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Anton Aylward
-
Carlos E. R.
-
Freek de Kruijf