Comment # 2 on bug 1219139 from Christian Boltz

(In reply to Fabian Vogt from comment #1)
> The pam changelog contains:
> 
> > pam_unix: changed to always run the helper to obtain shadow password
> > entries.
> 
> So everything which previously opened /etc/shadow directly might now call
> unix_chkpwd instead. That might affect more than just dovecot.

That's good to know, thanks for pointing it out!


Nevertheless, let's start with the actual failure ;-)

The denials translate to the following additions in
/etc/apparmor.d/usr.lib.dovecot.auth

    /usr/sbin/unix_chkpwd Px,
    owner/proc/@{PID}/loginuid r,


You'll also need a profile for unix_chkpwd, which I'll steal from the
apparmor.d project (please save it as /etc/apparmor.d/unix-chkpwd)

---------------------------------------------------------------------------
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /{,usr/}{,s}bin/unix_chkpwd
profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  # To write records to the kernel auditing log.
  capability audit_write,

  network netlink raw,

  @{exec_path} mr,

  /etc/shadow r,

  # file_inherit
  owner /dev/tty@{int} rw,

  include if exists <local/unix-chkpwd>
}
---------------------------------------------------------------------------

Can you please test if the dovecot-auth profile addition + this profile fix the
authentification? (If you still see denials, please switch the affected
profiles to complain mode with aa-complain so that we get everything at once.)


For the records: the following profiles read /etc/shadow (via
abstractions/authentication):
- apparmor.d/usr.lib.dovecot.auth
- apparmor.d/usr.lib.dovecot.dovecot-auth
- apparmor.d/usr.sbin.dovecot
- apparmor.d/usr.sbin.smbd