[Bug 681267] New: AppArmor completely prevents dovecot IMAP server from functioning

newer
[Bug 717499] New: kiwi: allow oem...

bugzilla_noreply＠novell.com

21 Mar 2011 21 Mar '11

13:28

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c0 Summary: AppArmor completely prevents dovecot IMAP server from functioning Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: iceman@fastmail.com.au QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 SUSE/3.6.15-0.2.1 Firefox/3.6.15 After installing dovecot and applying a fairly straightforward configuration to it I found that my mail client couldn't connect properly to the dovecot server. Also many of dovecot's imap-login processes were completely hanging and had to be killed with a kill -9 since the normal service dovecot stop was unable to stop them. In /var/log/mail I saw these errors: Mar 21 12:49:46 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 21 12:49:46 triton dovecot: dovecot: Generating Diffie-Hellman parameters for the first time. This may take a while.. Mar 21 12:50:12 triton dovecot: ssl-build-param: SSL parameters regeneration completed Mar 21 12:50:12 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 21 12:50:12 triton dovecot: dovecot: file_copy(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat) failed: No such file or directory I then enabled non-SSL login to see if the problem was specific to the SSL setup. It wasn't however as I then got these errors: Mar 21 13:22:56 triton dovecot: imap-login: Login: user=<tim>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Mar 21 13:22:56 triton dovecot: setmntent(/etc/mtab) failed: Permission denied Mar 21 13:22:56 triton dovecot: IMAP(tim): open(/home/tim/Mail/.imap/INBOX/dovecot.index.log) failed: Permission denied (euid=1000(tim) egid=100(users) UNIX perms appear ok, some security policy wrong?) Mar 21 13:22:56 triton dovecot: IMAP(tim): file_dotlock_create(/home/tim/Mail/main) failed: Permission denied (euid=1000(tim) egid=100(users) UNIX perms appear ok, some security policy wrong?) (under root dir /home/tim/Mail -> no privileged locking) Mar 21 13:22:56 triton dovecot: IMAP(tim): open() failed with mbox file /home/tim/Mail/main: Permission denied My dovecot config (dovecot -n): # 1.2.16: /etc/dovecot/dovecot.conf # OS: Linux 2.6.37.1-1.2-desktop x86_64 openSUSE 11.4 (x86_64) ext4 protocols: imaps listen: 127.0.0.1 login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_location: mbox:/home/%u/Mail:INBOX=/home/%u/Mail/main lda: postmaster_address: postmaster@example.com auth default: passdb: driver: pam userdb: driver: passwd The workaround was to use the AppArmor module in YAST to set everything to 'complain', effectively disabling AppArmor. Reproducible: Always Steps to Reproduce: 1. Install dovecot 2. Configure dovecot with a working (tested on Opensuse 11.3) configuration file 3. Try to connect to dovecot with a mail client Actual Results: Client can't connect, errors in /var/log/mail (as detailed in the Summary) Expected Results: Client can connect -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

21 Mar 21 Mar

14:03

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c1 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |iceman@fastmail.com.au --- Comment #1 from Jeff Mahoney 2011-03-21 14:03:05 UTC --- Since you've put the profile into complain mode, you should have the info needed to update the profile. Can you attach your /var/log/audit/audit.log? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

22 Mar 22 Mar

08:47

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c2 Tim Edwards changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|iceman@fastmail.com.au | --- Comment #2 from Tim Edwards 2011-03-22 08:47:10 UTC --- Created an attachment (id=420633) --> (http://bugzilla.novell.com/attachment.cgi?id=420633) audit.log entries relevant to dovecot This is the output of the command: sudo grep dovecot /var/log/audit/audit.log -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

28 Mar 28 Mar

00:57

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c3 Carsten Koch changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |CarstenKochElsdorf@web.de --- Comment #3 from Carsten Koch 2011-03-28 00:57:33 UTC --- Same here. dovecot out of the box did not even start (it complained that /usr/bin/doveconf could not be executed). So I added /usr/bin/doveconf ux, to /etc/apparmor.d/usr.sbin.dovecot Now dovecot started, but a telnet <hostname> 143 gave me no output. /var/log/mail.err contains lines like this: Mar 27 01:52:44 puwa dovecot: master: Error: service(config): child 10364 returned error 84 (exec() failed) Mar 27 01:52:44 puwa dovecot: master: Error: service(config): command startup failed, throttling Mar 27 01:52:44 puwa dovecot: master: Error: service(imap-login): command startup failed, throttling When I disabled apparmor entirely, dovecot worked immediately. Please fix! I feel naked without AppArmor! puwa:~ # cat /etc/SuSE-release openSUSE 11.4 (x86_64) VERSION = 11.4 CODENAME = Celadon puwa:~ # uname -a Linux puwa 2.6.37.1-1.2-desktop #1 SMP PREEMPT 2011-02-21 10:34:10 +0100 x86_64 x86_64 x86_64 GNU/Linux -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

29 Mar 29 Mar

20:40

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c4 Javier Llorente changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |javier@opensuse.org --- Comment #4 from Javier Llorente 2011-03-29 20:40:43 UTC --- Same thing here. I got the "ssl-parameters.dat" error, disabled AppArmor and dovecot worked again. I have re-enabled AppArmor and now I get: Mar 29 22:37:16 blau dovecot: setmntent(/etc/mtab) failed: Permission denied -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

20:43

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c5 --- Comment #5 from Javier Llorente 2011-03-29 20:43:24 UTC --- BTW, I upgraded from 11.3 to 11.4 using zypper dup. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21:01

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c6 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |iceman@fastmail.com.au --- Comment #6 from Jeff Mahoney 2011-03-29 21:01:24 UTC --- I've updated the profiles. Test packages to appear at: http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... They should contain the changelog entry: ------------------------------------------------------------------- Tue Mar 29 22:59:39 CEST 2011 - jeffm@suse.de - Updated dovecot profile (bnc#681267). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

30 Mar 30 Mar

19:01

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c7 Tim Edwards changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|iceman@fastmail.com.au | --- Comment #7 from Tim Edwards 2011-03-30 19:01:46 UTC --- Ok I've updated apparmor-profiles using your RPM (YAST saw it as a vendor change). I still get one error about /etc/mtab permission, however the dovecot server seems to work fine: Mar 30 20:54:08 triton dovecot: Dovecot v1.2.16 starting up (core dumps disabled) Mar 30 20:54:19 triton dovecot: imap-login: Login: user=<tim>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS Mar 30 20:54:19 triton dovecot: setmntent(/etc/mtab) failed: Permission denied Mar 30 20:54:39 triton dovecot: imap-login: Login: user=<tim>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS rpm -qa | grep apparmor | sort apparmor-docs-2.5.1.r1445-52.55.1.x86_64 apparmor-parser-2.5.1.r1445-52.55.1.x86_64 apparmor-profiles-2.5.1.r1445-59.1.noarch apparmor-utils-2.5.1.r1445-52.55.1.noarch libapparmor1-2.5.1.r1445-52.55.1.x86_64 pam_apparmor-2.5.1.r1445-52.55.1.x86_64 patterns-openSUSE-apparmor-11.4-6.9.1.x86_64 patterns-openSUSE-apparmor_opt-11.4-6.9.1.x86_64 perl-apparmor-2.5.1.r1445-52.55.1.x86_64 yast2-apparmor-2.20.1-1.2.1.noarch The only thing is that I went through the YAST wizard to setup some custom apparmor permissions to allow dovecot to work. I'm not sure if installing the new apparmor-profiles RPM has overwritten those - if not how do I remove them so I can test properly? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

31 Mar 31 Mar

05:18

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c8 --- Comment #8 from Tim Edwards 2011-03-31 05:18:45 UTC --- Actually, ignore what I wrote in the last comment. I rebooted the machine and now Apparmor is blocking dovecot completely again: Mar 31 07:16:04 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 31 07:16:04 triton dovecot: dovecot: Generating Diffie-Hellman parameters for the first time. This may take a while.. Mar 31 07:16:13 triton dovecot: ssl-build-param: SSL parameters regeneration completed Mar 31 07:16:13 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied Mar 31 07:16:13 triton dovecot: dovecot: file_copy(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat) failed: No such file or directory -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Apr 11 Apr

19:55

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c9 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #9 from Jeff Mahoney 2011-04-11 19:55:46 UTC --- This should be fixed in SR 66522, to be released as an update soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13 Apr 13 Apr

19:53

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c10 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #10 from Jeff Mahoney 2011-04-13 19:53:52 UTC --- Update is checked in. Closing as FIXED. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21 Apr 21 Apr

12:22

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c11 Andres Nogueiras Melendez changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aaugusto@uvigo.es --- Comment #11 from Andres Nogueiras Melendez 2011-04-21 12:22:11 UTC --- Hi all, Just my one and a half cent, I just suffer an issue from this bug. As long as the fixed package for apparmour profiles is not available yet, when upgrading the email server I spent around half a day dealing with no access to mail accounts (can't read mail) altrough we can receive. As this bug is marked as FIXED, and I truly believe that it is, maybe it is time to say it is alredy unfixed, as long as the new profile package is not available in the main repositories. I congratulate you all who work by SuSE, Novell and collaborate with openSUSE for all your excellent work. All the best! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

28 Apr 28 Apr

11:57

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c12 --- Comment #12 from Bernhard Wiedemann 2011-04-28 13:57:37 CEST --- This is an autogenerated message for OBS integration: This bug (681267) was mentioned in https://build.opensuse.org/request/show/66464 https://build.opensuse.org/request/show/66522 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

23 May 23 May

16:27

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c13 Rui Salgueiro changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rps@mat.uc.pt --- Comment #13 from Rui Salgueiro 2011-05-23 16:27:20 UTC --- This bug has also affected me. When will the update be released ? (My system has all the updates, according to YaST, but the versions of apparmor are still the same as the original poster: apparmor-profiles - 2.5.1.r1445-52.55.1 apparmor-utils - 2.5.1.r1445-52.55.1 ) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

23 Jun 23 Jun

19:00

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c14 --- Comment #14 from Bernhard Wiedemann 2011-06-23 21:00:46 CEST --- This is an autogenerated message for OBS integration: This bug (681267) was mentioned in https://build.opensuse.org/request/show/74415 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

24 Jun 24 Jun

15:00

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c15 --- Comment #15 from Bernhard Wiedemann 2011-06-24 17:00:45 CEST --- This is an autogenerated message for OBS integration: This bug (681267) was mentioned in https://build.opensuse.org/request/show/74457 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

25 Jun 25 Jun

19:58

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c16 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:41833:low --- Comment #16 from Swamp Workflow Management 2011-06-25 19:58:09 UTC --- The SWAMPID for this issue is 41833. This issue was rated as low. Please submit fixed packages until 2011-07-25. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/41833 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

7 Jul 7 Jul

13:17

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c17 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:running:41833:low | |maint:released:11.4:41905 --- Comment #17 from Swamp Workflow Management 2011-07-07 13:17:32 UTC --- Update released for: apache2-mod_apparmor, apparmor-docs, apparmor-parser, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, pam_apparmor, perl-apparmor, tomcat_apparmor Products: openSUSE 11.4 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:19

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:released:11.4:41905 |maint:released:11.4:41905 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

26 Jul 26 Jul

12:11

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c18 Björn Jacobs changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjoern.jacobs@gmx.net --- Comment #18 from Björn Jacobs 2011-07-26 12:11:34 UTC --- I just upgraded from Dovecot 1.2 to 2.0, installed all available updates to Dovecot and AppArmor, but the problem is not fixed here. me:/ # /etc/init.d/dovecot start Starting dovecot Fatal: execv(/usr/bin/doveconf) failed: Permission denied startproc: exit status of parent of /usr/sbin/dovecot: 84 me:/ # rpm -qa | grep apparmor | sort apparmor-docs-2.5.1.r1445-52.59.1.noarch apparmor-parser-2.5.1.r1445-52.59.1.x86_64 apparmor-profiles-2.5.1.r1445-52.59.1.noarch apparmor-utils-2.5.1.r1445-52.59.1.noarch libapparmor1-2.5.1.r1445-52.59.1.x86_64 libapparmor-devel-2.5.1.r1445-52.59.1.x86_64 pam_apparmor-2.5.1.r1445-52.59.1.x86_64 patterns-openSUSE-apparmor-11.4-6.9.1.x86_64 patterns-openSUSE-apparmor_opt-11.4-6.9.1.x86_64 perl-apparmor-2.5.1.r1445-52.59.1.x86_64 yast2-apparmor-2.20.1-1.2.1.noarch When disabling AppArmor, everything works fine. Thanks for your help! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:22

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c19 --- Comment #19 from Marcus Meissner 2011-07-26 12:22:21 UTC --- you could disable the dovecot profile, or use logprof to handle new rights it wants -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:09

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c20 --- Comment #20 from Tim Edwards 2011-07-26 13:09:39 UTC --- I'm not sure why this was marked fixed, did anyone test it? I commented 4 months ago that the changes made no difference to me. I long ago just turned off Apparmor due to this issue but in the logs I can see it would still be blocking dovecot if I hadn't turned it off: Jul 26 15:04:03 triton kernel: [325830.735248] type=1400 audit(1311685443.595:2396): apparmor="ALLOWED" operation="file_lock" parent=2521 profile="/usr/lib/dovecot/imap" name=2F686F6D652F74696D2F4D61696C2F2E696D61702F747269746F6E2041646D696E2F646F7665636F742E696E6465782E6C6F67 pid=20845 comm="imap" requested_mask="wk" denied_mask="wk" fsuid=1000 ouid=1000 Jul 26 15:04:03 triton kernel: [325830.735289] type=1400 audit(1311685443.595:2397): apparmor="ALLOWED" operation="file_lock" parent=2521 profile="/usr/lib/dovecot/imap" name=2F686F6D652F74696D2F4D61696C2F2E696D61702F747269746F6E2041646D696E2F646F7665636F742E696E6465782E6C6F67 pid=20845 comm="imap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:07

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c21 --- Comment #21 from Björn Jacobs 2011-07-26 14:07:06 UTC --- Created an attachment (id=442387) --> (http://bugzilla.novell.com/attachment.cgi?id=442387) Modified profile for Dovecot -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:07

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c22 --- Comment #22 from Björn Jacobs 2011-07-26 14:07:53 UTC --- Created an attachment (id=442388) --> (http://bugzilla.novell.com/attachment.cgi?id=442388) New profile for Dovecot (doveconf) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:08

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c23 --- Comment #23 from Björn Jacobs 2011-07-26 14:08:37 UTC --- I used logprof and genprof to generate/modify the profiles so that -for me- it now works. When using genprof I chose "inherit" for all execution rights I was asked for and and "allow" for all read rights. But since I'm really new to AppArmor-profiles, there is no guarantee that the modified profiles are still totally safe. I attached the new and modified profile. Maybe this helps. :) Greets, Björn -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

3 Aug 3 Aug

00:54

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c24 --- Comment #24 from Jeff Mahoney 2011-08-03 00:53:59 UTC --- (In reply to comment #20)

...

I'm not sure why this was marked fixed, did anyone test it? I commented 4 months ago that the changes made no difference to me.

I long ago just turned off Apparmor due to this issue but in the logs I can see it would still be blocking dovecot if I hadn't turned it off:

Yeah, I took the info you gave me and rolled it in. usr.sbin.dovecot contains /etc/mtab. We also have the ssl abstractions. The audit chunk you posted decodes as: /home/tim/Mail/.imap/triton Admin/dovecot.index.log and the apparmor profile for usr.lib.dovecot.imap contains: @{HOME}/Mail/.imap/** klrw, . so it should be covered. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Sep 11 Sep

18:14

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c25 David Walker changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |DHWalker@ucdavis.edu --- Comment #25 from David Walker 2011-09-11 18:14:43 UTC --- I'm not sure if I'm having a variant of this problem. One of my IMAP accounts, dhwarchive, has a home directory that is not under /home. (It's /DWMedia/DWMedia3/dhwarchive.) After upgrading from openSUSE 11.3 and dovecot 1.1 to openSUSE 11.4 and dovecot 1.2, I couldn't access that account via IMAP, although all other accounts worked fine. After seeing this bug (and not knowing much of anything about AppArmor), I used the Yast2/AppArmor Edit Profile tool to see the entries for /usr/lib/dovecot/imap and noticed that it had entries for "@{HOME}/Maildir/ - rw" and "@{HOME}/Maildir/** - rwlk". Intuitively, I would have thought that "@{HOME}" would work for any user's home directory, but I decided to try adding explicit entries for dhwarchive's home directory: /DWMedia/DWMedia3/dhwarchive/Maildir/ rw /DWMedia/DWMedia3/dhwarchive/Maildir/** rwlk Things now seem to be working, but I hope I don't have to redo this whenever there's an update. David -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13 Sep 13 Sep

19:09

New subject: [Bug 681267] AppArmor completely prevents dovecot IMAP server from functioning

https://bugzilla.novell.com/show_bug.cgi?id=681267 https://bugzilla.novell.com/show_bug.cgi?id=681267#c26 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #26 from Christian Boltz 2011-09-13 21:09:52 CEST --- (In reply to comment #25)

...

I'm not sure if I'm having a variant of this problem. One of my IMAP accounts, dhwarchive, has a home directory that is not under /home. (It's /DWMedia/DWMedia3/dhwarchive.)

...

Intuitively, I would have thought that "@{HOME}" would work for any user's home directory,

no, @{HOME} is defined as /home/*/ + /root/ (see /etc/apparmor.d/tunables/home)

...

but I decided to try adding explicit entries for dhwarchive's home directory:

/DWMedia/DWMedia3/dhwarchive/Maildir/ rw /DWMedia/DWMedia3/dhwarchive/Maildir/** rwlk

Correct solution ;-)

...

Things now seem to be working, but I hope I don't have to redo this whenever there's an update.

Modified profiles (hopefully) won't be overwritten when installing a new package - you'll see a *.rpmnew. General note: I commited Jeff's patch upstream, and it will be part of AppArmor 2.7 beta2 which will be released in the next days. Packages will be available in security:apparmor:factory. (Just take the apparmor-profiles package from there.) If you still see dovecot problems with the 2.7 beta2 apparmor-profiles package, please open a new bugreport, attach your audit.log and assign it to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

4611

Age (days ago)

4787

Last active (days ago)

List overview

Download

27 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 681267] New: AppArmor completely prevents dovecot IMAP server from functioning

tags

participants (1)