[Bug 681267] New: AppArmor completely prevents dovecot IMAP server from functioning
https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c0 Summary: AppArmor completely prevents dovecot IMAP server from functioning Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: iceman@fastmail.com.au QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 SUSE/3.6.15-0.2.1 Firefox/3.6.15 After installing dovecot and applying a fairly straightforward configuration to it I found that my mail client couldn't connect properly to the dovecot server. Also many of dovecot's imap-login processes were completely hanging and had to be killed with a kill -9 since the normal service dovecot stop was unable to stop them. In /var/log/mail I saw these errors: Mar 21 12:49:46 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 21 12:49:46 triton dovecot: dovecot: Generating Diffie-Hellman parameters for the first time. This may take a while.. Mar 21 12:50:12 triton dovecot: ssl-build-param: SSL parameters regeneration completed Mar 21 12:50:12 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 21 12:50:12 triton dovecot: dovecot: file_copy(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat) failed: No such file or directory I then enabled non-SSL login to see if the problem was specific to the SSL setup. It wasn't however as I then got these errors: Mar 21 13:22:56 triton dovecot: imap-login: Login: user=<tim>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Mar 21 13:22:56 triton dovecot: setmntent(/etc/mtab) failed: Permission denied Mar 21 13:22:56 triton dovecot: IMAP(tim): open(/home/tim/Mail/.imap/INBOX/dovecot.index.log) failed: Permission denied (euid=1000(tim) egid=100(users) UNIX perms appear ok, some security policy wrong?) Mar 21 13:22:56 triton dovecot: IMAP(tim): file_dotlock_create(/home/tim/Mail/main) failed: Permission denied (euid=1000(tim) egid=100(users) UNIX perms appear ok, some security policy wrong?) (under root dir /home/tim/Mail -> no privileged locking) Mar 21 13:22:56 triton dovecot: IMAP(tim): open() failed with mbox file /home/tim/Mail/main: Permission denied My dovecot config (dovecot -n): # 1.2.16: /etc/dovecot/dovecot.conf # OS: Linux 2.6.37.1-1.2-desktop x86_64 openSUSE 11.4 (x86_64) ext4 protocols: imaps listen: 127.0.0.1 login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_location: mbox:/home/%u/Mail:INBOX=/home/%u/Mail/main lda: postmaster_address: postmaster@example.com auth default: passdb: driver: pam userdb: driver: passwd The workaround was to use the AppArmor module in YAST to set everything to 'complain', effectively disabling AppArmor. Reproducible: Always Steps to Reproduce: 1. Install dovecot 2. Configure dovecot with a working (tested on Opensuse 11.3) configuration file 3. Try to connect to dovecot with a mail client Actual Results: Client can't connect, errors in /var/log/mail (as detailed in the Summary) Expected Results: Client can connect -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c1
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c2
Tim Edwards
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c3
Carsten Koch
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c4
Javier Llorente
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c5
--- Comment #5 from Javier Llorente
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c6
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c7
Tim Edwards
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c8
--- Comment #8 from Tim Edwards
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c9
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c10
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c11
Andres Nogueiras Melendez
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c12
--- Comment #12 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c13
Rui Salgueiro
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c14
--- Comment #14 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c15
--- Comment #15 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c16
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c17
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c18
Björn Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c19
--- Comment #19 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c20
--- Comment #20 from Tim Edwards
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c21
--- Comment #21 from Björn Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c22
--- Comment #22 from Björn Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c23
--- Comment #23 from Björn Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c24
--- Comment #24 from Jeff Mahoney
I'm not sure why this was marked fixed, did anyone test it? I commented 4 months ago that the changes made no difference to me.
I long ago just turned off Apparmor due to this issue but in the logs I can see it would still be blocking dovecot if I hadn't turned it off:
Yeah, I took the info you gave me and rolled it in. usr.sbin.dovecot contains /etc/mtab. We also have the ssl abstractions. The audit chunk you posted decodes as: /home/tim/Mail/.imap/triton Admin/dovecot.index.log and the apparmor profile for usr.lib.dovecot.imap contains: @{HOME}/Mail/.imap/** klrw, . so it should be covered. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c25
David Walker
https://bugzilla.novell.com/show_bug.cgi?id=681267
https://bugzilla.novell.com/show_bug.cgi?id=681267#c26
Christian Boltz
I'm not sure if I'm having a variant of this problem. One of my IMAP accounts, dhwarchive, has a home directory that is not under /home. (It's /DWMedia/DWMedia3/dhwarchive.)
Intuitively, I would have thought that "@{HOME}" would work for any user's home directory,
no, @{HOME} is defined as /home/*/ + /root/ (see /etc/apparmor.d/tunables/home)
but I decided to try adding explicit entries for dhwarchive's home directory:
/DWMedia/DWMedia3/dhwarchive/Maildir/ rw /DWMedia/DWMedia3/dhwarchive/Maildir/** rwlk
Correct solution ;-)
Things now seem to be working, but I hope I don't have to redo this whenever there's an update.
Modified profiles (hopefully) won't be overwritten when installing a new package - you'll see a *.rpmnew. General note: I commited Jeff's patch upstream, and it will be part of AppArmor 2.7 beta2 which will be released in the next days. Packages will be available in security:apparmor:factory. (Just take the apparmor-profiles package from there.) If you still see dovecot problems with the 2.7 beta2 apparmor-profiles package, please open a new bugreport, attach your audit.log and assign it to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com