[Bug 681267] New: AppArmor completely prevents dovecot IMAP server from functioning
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c0 Summary: AppArmor completely prevents dovecot IMAP server from functioning Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: iceman@fastmail.com.au QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 SUSE/3.6.15-0.2.1 Firefox/3.6.15 After installing dovecot and applying a fairly straightforward configuration to it I found that my mail client couldn't connect properly to the dovecot server. Also many of dovecot's imap-login processes were completely hanging and had to be killed with a kill -9 since the normal service dovecot stop was unable to stop them. In /var/log/mail I saw these errors: Mar 21 12:49:46 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 21 12:49:46 triton dovecot: dovecot: Generating Diffie-Hellman parameters for the first time. This may take a while.. Mar 21 12:50:12 triton dovecot: ssl-build-param: SSL parameters regeneration completed Mar 21 12:50:12 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 21 12:50:12 triton dovecot: dovecot: file_copy(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat) failed: No such file or directory I then enabled non-SSL login to see if the problem was specific to the SSL setup. It wasn't however as I then got these errors: Mar 21 13:22:56 triton dovecot: imap-login: Login: user=<tim>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Mar 21 13:22:56 triton dovecot: setmntent(/etc/mtab) failed: Permission denied Mar 21 13:22:56 triton dovecot: IMAP(tim): open(/home/tim/Mail/.imap/INBOX/dovecot.index.log) failed: Permission denied (euid=1000(tim) egid=100(users) UNIX perms appear ok, some security policy wrong?) Mar 21 13:22:56 triton dovecot: IMAP(tim): file_dotlock_create(/home/tim/Mail/main) failed: Permission denied (euid=1000(tim) egid=100(users) UNIX perms appear ok, some security policy wrong?) (under root dir /home/tim/Mail -> no privileged locking) Mar 21 13:22:56 triton dovecot: IMAP(tim): open() failed with mbox file /home/tim/Mail/main: Permission denied My dovecot config (dovecot -n): # 1.2.16: /etc/dovecot/dovecot.conf # OS: Linux 2.6.37.1-1.2-desktop x86_64 openSUSE 11.4 (x86_64) ext4 protocols: imaps listen: 127.0.0.1 login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_location: mbox:/home/%u/Mail:INBOX=/home/%u/Mail/main lda: postmaster_address: postmaster@example.com auth default: passdb: driver: pam userdb: driver: passwd The workaround was to use the AppArmor module in YAST to set everything to 'complain', effectively disabling AppArmor. Reproducible: Always Steps to Reproduce: 1. Install dovecot 2. Configure dovecot with a working (tested on Opensuse 11.3) configuration file 3. Try to connect to dovecot with a mail client Actual Results: Client can't connect, errors in /var/log/mail (as detailed in the Summary) Expected Results: Client can connect -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c1 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |iceman@fastmail.com.au --- Comment #1 from Jeff Mahoney <jeffm@novell.com> 2011-03-21 14:03:05 UTC --- Since you've put the profile into complain mode, you should have the info needed to update the profile. Can you attach your /var/log/audit/audit.log? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c2 Tim Edwards <iceman@fastmail.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|iceman@fastmail.com.au | --- Comment #2 from Tim Edwards <iceman@fastmail.com.au> 2011-03-22 08:47:10 UTC --- Created an attachment (id=420633) --> (http://bugzilla.novell.com/attachment.cgi?id=420633) audit.log entries relevant to dovecot This is the output of the command: sudo grep dovecot /var/log/audit/audit.log -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c3 Carsten Koch <CarstenKochElsdorf@web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |CarstenKochElsdorf@web.de --- Comment #3 from Carsten Koch <CarstenKochElsdorf@web.de> 2011-03-28 00:57:33 UTC --- Same here. dovecot out of the box did not even start (it complained that /usr/bin/doveconf could not be executed). So I added /usr/bin/doveconf ux, to /etc/apparmor.d/usr.sbin.dovecot Now dovecot started, but a telnet <hostname> 143 gave me no output. /var/log/mail.err contains lines like this: Mar 27 01:52:44 puwa dovecot: master: Error: service(config): child 10364 returned error 84 (exec() failed) Mar 27 01:52:44 puwa dovecot: master: Error: service(config): command startup failed, throttling Mar 27 01:52:44 puwa dovecot: master: Error: service(imap-login): command startup failed, throttling When I disabled apparmor entirely, dovecot worked immediately. Please fix! I feel naked without AppArmor! puwa:~ # cat /etc/SuSE-release openSUSE 11.4 (x86_64) VERSION = 11.4 CODENAME = Celadon puwa:~ # uname -a Linux puwa 2.6.37.1-1.2-desktop #1 SMP PREEMPT 2011-02-21 10:34:10 +0100 x86_64 x86_64 x86_64 GNU/Linux -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c4 Javier Llorente <javier@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |javier@opensuse.org --- Comment #4 from Javier Llorente <javier@opensuse.org> 2011-03-29 20:40:43 UTC --- Same thing here. I got the "ssl-parameters.dat" error, disabled AppArmor and dovecot worked again. I have re-enabled AppArmor and now I get: Mar 29 22:37:16 blau dovecot: setmntent(/etc/mtab) failed: Permission denied -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c5 --- Comment #5 from Javier Llorente <javier@opensuse.org> 2011-03-29 20:43:24 UTC --- BTW, I upgraded from 11.3 to 11.4 using zypper dup. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c6 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |iceman@fastmail.com.au --- Comment #6 from Jeff Mahoney <jeffm@novell.com> 2011-03-29 21:01:24 UTC --- I've updated the profiles. Test packages to appear at: http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... They should contain the changelog entry: ------------------------------------------------------------------- Tue Mar 29 22:59:39 CEST 2011 - jeffm@suse.de - Updated dovecot profile (bnc#681267). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c7 Tim Edwards <iceman@fastmail.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|iceman@fastmail.com.au | --- Comment #7 from Tim Edwards <iceman@fastmail.com.au> 2011-03-30 19:01:46 UTC --- Ok I've updated apparmor-profiles using your RPM (YAST saw it as a vendor change). I still get one error about /etc/mtab permission, however the dovecot server seems to work fine: Mar 30 20:54:08 triton dovecot: Dovecot v1.2.16 starting up (core dumps disabled) Mar 30 20:54:19 triton dovecot: imap-login: Login: user=<tim>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS Mar 30 20:54:19 triton dovecot: setmntent(/etc/mtab) failed: Permission denied Mar 30 20:54:39 triton dovecot: imap-login: Login: user=<tim>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS rpm -qa | grep apparmor | sort apparmor-docs-2.5.1.r1445-52.55.1.x86_64 apparmor-parser-2.5.1.r1445-52.55.1.x86_64 apparmor-profiles-2.5.1.r1445-59.1.noarch apparmor-utils-2.5.1.r1445-52.55.1.noarch libapparmor1-2.5.1.r1445-52.55.1.x86_64 pam_apparmor-2.5.1.r1445-52.55.1.x86_64 patterns-openSUSE-apparmor-11.4-6.9.1.x86_64 patterns-openSUSE-apparmor_opt-11.4-6.9.1.x86_64 perl-apparmor-2.5.1.r1445-52.55.1.x86_64 yast2-apparmor-2.20.1-1.2.1.noarch The only thing is that I went through the YAST wizard to setup some custom apparmor permissions to allow dovecot to work. I'm not sure if installing the new apparmor-profiles RPM has overwritten those - if not how do I remove them so I can test properly? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c8 --- Comment #8 from Tim Edwards <iceman@fastmail.com.au> 2011-03-31 05:18:45 UTC --- Actually, ignore what I wrote in the last comment. I rebooted the machine and now Apparmor is blocking dovecot completely again: Mar 31 07:16:04 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 31 07:16:04 triton dovecot: dovecot: Generating Diffie-Hellman parameters for the first time. This may take a while.. Mar 31 07:16:13 triton dovecot: ssl-build-param: SSL parameters regeneration completed Mar 31 07:16:13 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 31 07:16:13 triton dovecot: dovecot: file_copy(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat) failed: No such file or directory -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c9 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #9 from Jeff Mahoney <jeffm@novell.com> 2011-04-11 19:55:46 UTC --- This should be fixed in SR 66522, to be released as an update soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c10 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #10 from Jeff Mahoney <jeffm@novell.com> 2011-04-13 19:53:52 UTC --- Update is checked in. Closing as FIXED. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c11 Andres Nogueiras Melendez <aaugusto@uvigo.es> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aaugusto@uvigo.es --- Comment #11 from Andres Nogueiras Melendez <aaugusto@uvigo.es> 2011-04-21 12:22:11 UTC --- Hi all, Just my one and a half cent, I just suffer an issue from this bug. As long as the fixed package for apparmour profiles is not available yet, when upgrading the email server I spent around half a day dealing with no access to mail accounts (can't read mail) altrough we can receive. As this bug is marked as FIXED, and I truly believe that it is, maybe it is time to say it is alredy unfixed, as long as the new profile package is not available in the main repositories. I congratulate you all who work by SuSE, Novell and collaborate with openSUSE for all your excellent work. All the best! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c12 --- Comment #12 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-28 13:57:37 CEST --- This is an autogenerated message for OBS integration: This bug (681267) was mentioned in https://build.opensuse.org/request/show/66464 https://build.opensuse.org/request/show/66522 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c13 Rui Salgueiro <rps@mat.uc.pt> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rps@mat.uc.pt --- Comment #13 from Rui Salgueiro <rps@mat.uc.pt> 2011-05-23 16:27:20 UTC --- This bug has also affected me. When will the update be released ? (My system has all the updates, according to YaST, but the versions of apparmor are still the same as the original poster: apparmor-profiles - 2.5.1.r1445-52.55.1 apparmor-utils - 2.5.1.r1445-52.55.1 ) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c14 --- Comment #14 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-06-23 21:00:46 CEST --- This is an autogenerated message for OBS integration: This bug (681267) was mentioned in https://build.opensuse.org/request/show/74415 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c15 --- Comment #15 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-06-24 17:00:45 CEST --- This is an autogenerated message for OBS integration: This bug (681267) was mentioned in https://build.opensuse.org/request/show/74457 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c16 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:41833:low --- Comment #16 from Swamp Workflow Management <swamp@suse.com> 2011-06-25 19:58:09 UTC --- The SWAMPID for this issue is 41833. This issue was rated as low. Please submit fixed packages until 2011-07-25. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/41833 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c17 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:running:41833:low | |maint:released:11.4:41905 --- Comment #17 from Swamp Workflow Management <swamp@suse.de> 2011-07-07 13:17:32 UTC --- Update released for: apache2-mod_apparmor, apparmor-docs, apparmor-parser, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, pam_apparmor, perl-apparmor, tomcat_apparmor Products: openSUSE 11.4 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:released:11.4:41905 |maint:released:11.4:41905 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c18 Björn Jacobs <bjoern.jacobs@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjoern.jacobs@gmx.net --- Comment #18 from Björn Jacobs <bjoern.jacobs@gmx.net> 2011-07-26 12:11:34 UTC --- I just upgraded from Dovecot 1.2 to 2.0, installed all available updates to Dovecot and AppArmor, but the problem is not fixed here. me:/ # /etc/init.d/dovecot start Starting dovecot Fatal: execv(/usr/bin/doveconf) failed: Permission denied startproc: exit status of parent of /usr/sbin/dovecot: 84 me:/ # rpm -qa | grep apparmor | sort apparmor-docs-2.5.1.r1445-52.59.1.noarch apparmor-parser-2.5.1.r1445-52.59.1.x86_64 apparmor-profiles-2.5.1.r1445-52.59.1.noarch apparmor-utils-2.5.1.r1445-52.59.1.noarch libapparmor1-2.5.1.r1445-52.59.1.x86_64 libapparmor-devel-2.5.1.r1445-52.59.1.x86_64 pam_apparmor-2.5.1.r1445-52.59.1.x86_64 patterns-openSUSE-apparmor-11.4-6.9.1.x86_64 patterns-openSUSE-apparmor_opt-11.4-6.9.1.x86_64 perl-apparmor-2.5.1.r1445-52.59.1.x86_64 yast2-apparmor-2.20.1-1.2.1.noarch When disabling AppArmor, everything works fine. Thanks for your help! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c19 --- Comment #19 from Marcus Meissner <meissner@novell.com> 2011-07-26 12:22:21 UTC --- you could disable the dovecot profile, or use logprof to handle new rights it wants -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c20 --- Comment #20 from Tim Edwards <iceman@fastmail.com.au> 2011-07-26 13:09:39 UTC --- I'm not sure why this was marked fixed, did anyone test it? I commented 4 months ago that the changes made no difference to me. I long ago just turned off Apparmor due to this issue but in the logs I can see it would still be blocking dovecot if I hadn't turned it off: Jul 26 15:04:03 triton kernel: [325830.735248] type=1400 audit(1311685443.595:2396): apparmor="ALLOWED" operation="file_lock" parent=2521 profile="/usr/lib/dovecot/imap" name=2F686F6D652F74696D2F4D61696C2F2E696D61702F747269746F6E2041646D696E2F646F7665636F742E696E6465782E6C6F67 pid=20845 comm="imap" requested_mask="wk" denied_mask="wk" fsuid=1000 ouid=1000 Jul 26 15:04:03 triton kernel: [325830.735289] type=1400 audit(1311685443.595:2397): apparmor="ALLOWED" operation="file_lock" parent=2521 profile="/usr/lib/dovecot/imap" name=2F686F6D652F74696D2F4D61696C2F2E696D61702F747269746F6E2041646D696E2F646F7665636F742E696E6465782E6C6F67 pid=20845 comm="imap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c21 --- Comment #21 from Björn Jacobs <bjoern.jacobs@gmx.net> 2011-07-26 14:07:06 UTC --- Created an attachment (id=442387) --> (http://bugzilla.novell.com/attachment.cgi?id=442387) Modified profile for Dovecot -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c22 --- Comment #22 from Björn Jacobs <bjoern.jacobs@gmx.net> 2011-07-26 14:07:53 UTC --- Created an attachment (id=442388) --> (http://bugzilla.novell.com/attachment.cgi?id=442388) New profile for Dovecot (doveconf) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c23 --- Comment #23 from Björn Jacobs <bjoern.jacobs@gmx.net> 2011-07-26 14:08:37 UTC --- I used logprof and genprof to generate/modify the profiles so that -for me- it now works. When using genprof I chose "inherit" for all execution rights I was asked for and and "allow" for all read rights. But since I'm really new to AppArmor-profiles, there is no guarantee that the modified profiles are still totally safe. I attached the new and modified profile. Maybe this helps. :) Greets, Björn -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c24 --- Comment #24 from Jeff Mahoney <jeffm@novell.com> 2011-08-03 00:53:59 UTC --- (In reply to comment #20)
I'm not sure why this was marked fixed, did anyone test it? I commented 4 months ago that the changes made no difference to me.
I long ago just turned off Apparmor due to this issue but in the logs I can see it would still be blocking dovecot if I hadn't turned it off:
Yeah, I took the info you gave me and rolled it in. usr.sbin.dovecot contains /etc/mtab. We also have the ssl abstractions. The audit chunk you posted decodes as: /home/tim/Mail/.imap/triton Admin/dovecot.index.log and the apparmor profile for usr.lib.dovecot.imap contains: @{HOME}/Mail/.imap/** klrw, . so it should be covered. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c25 David Walker <DHWalker@ucdavis.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |DHWalker@ucdavis.edu --- Comment #25 from David Walker <DHWalker@ucdavis.edu> 2011-09-11 18:14:43 UTC --- I'm not sure if I'm having a variant of this problem. One of my IMAP accounts, dhwarchive, has a home directory that is not under /home. (It's /DWMedia/DWMedia3/dhwarchive.) After upgrading from openSUSE 11.3 and dovecot 1.1 to openSUSE 11.4 and dovecot 1.2, I couldn't access that account via IMAP, although all other accounts worked fine. After seeing this bug (and not knowing much of anything about AppArmor), I used the Yast2/AppArmor Edit Profile tool to see the entries for /usr/lib/dovecot/imap and noticed that it had entries for "@{HOME}/Maildir/ - rw" and "@{HOME}/Maildir/** - rwlk". Intuitively, I would have thought that "@{HOME}" would work for any user's home directory, but I decided to try adding explicit entries for dhwarchive's home directory: /DWMedia/DWMedia3/dhwarchive/Maildir/ rw /DWMedia/DWMedia3/dhwarchive/Maildir/** rwlk Things now seem to be working, but I hope I don't have to redo this whenever there's an update. David -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c26 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #26 from Christian Boltz <suse-beta@cboltz.de> 2011-09-13 21:09:52 CEST --- (In reply to comment #25)
I'm not sure if I'm having a variant of this problem. One of my IMAP accounts, dhwarchive, has a home directory that is not under /home. (It's /DWMedia/DWMedia3/dhwarchive.)
Intuitively, I would have thought that "@{HOME}" would work for any user's home directory,
no, @{HOME} is defined as /home/*/ + /root/ (see /etc/apparmor.d/tunables/home)
but I decided to try adding explicit entries for dhwarchive's home directory:
/DWMedia/DWMedia3/dhwarchive/Maildir/ rw /DWMedia/DWMedia3/dhwarchive/Maildir/** rwlk
Correct solution ;-)
Things now seem to be working, but I hope I don't have to redo this whenever there's an update.
Modified profiles (hopefully) won't be overwritten when installing a new package - you'll see a *.rpmnew. General note: I commited Jeff's patch upstream, and it will be part of AppArmor 2.7 beta2 which will be released in the next days. Packages will be available in security:apparmor:factory. (Just take the apparmor-profiles package from there.) If you still see dovecot problems with the 2.7 beta2 apparmor-profiles package, please open a new bugreport, attach your audit.log and assign it to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com