[Bug 757271] New: No apparmor profiles for Dovecot 2.0
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c0 Summary: No apparmor profiles for Dovecot 2.0 Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: openSUSE 12.1 Status: NEW Severity: Enhancement Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: suse+build@de-korte.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0 The apparmor profiles seem to be generated for a Dovecot 1.2 installation. Since openSUSE 12.1 ships with Dovecot 2.0 as well, the lack of a working apparmor profile is unexpected. There are quite a number of changes to the internals of Dovecot between versions 1.2 and 2.0, so a profile for the first, will not work for the latter (and vice-versa). It would be really useful if two versions of a program are shipped, either both or neither have an apparmor profile (it took me a while to figure out what the problem was). Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c1 --- Comment #1 from Arjen de Korte <suse+build@de-korte.org> 2012-04-16 08:58:01 UTC --- (In reply to comment #0)
It would be really useful if two versions of a program are shipped, either both or neither have an apparmor profile (it took me a while to figure out what the problem was).
Or even better, profiles should not be bundled together, but rather be distributed with the package. If the number of profiles increases, it will also become impractical to bundle them all together. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c2 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |suse+build@de-korte.org --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> 2012-04-16 11:30:54 CEST --- My mailservers still use courier for historical reasons, therefore I'll need some help ;-) Can you provide your audit.log and (optionally) a profile that also works for dovecot 2.0? (See http://en.opensuse.org/openSUSE:Bugreport_AppArmor for a quick howto.) (In reply to comment #1)
Or even better, profiles should not be bundled together, but rather be distributed with the package. If the number of profiles increases, it will also become impractical to bundle them all together.
It might look so at the first view, but for various reasons bundling them in the apparmor-profiles package is the easier to handle solution. (One of the reasons is that all profiles come with the upstream AppArmor tarball.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c3 Arjen de Korte <suse+build@de-korte.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|suse+build@de-korte.org | --- Comment #3 from Arjen de Korte <suse+build@de-korte.org> 2012-04-16 20:04:05 UTC --- Created an attachment (id=486318) --> (http://bugzilla.novell.com/attachment.cgi?id=486318) Apparmor profiles for Dovecot 2.0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c4 --- Comment #4 from Arjen de Korte <suse+build@de-korte.org> 2012-04-16 20:08:52 UTC ---
My mailservers still use courier for historical reasons, therefore I'll need some help ;-)
Apparently, you don't have many users connecting through webmail. Dovecot is *much* better for non-connected IMAP clients than Courier (which I used before too).
Can you provide your audit.log and (optionally) a profile that also works for dovecot 2.0? (See http://en.opensuse.org/openSUSE:Bugreport_AppArmor for a quick howto.)
The audit.log contains a lot of information I'm not willing to disclose. Providing this, would mean stripping lots of user data and I'm not sure I want to do that. Starting Dovecot and *one* user connecting already generates 10k+ line in audit.log, with /usr/sbin/dovecot running in complain mode. See above the actual profiles in use now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c5 --- Comment #5 from Arjen de Korte <suse+build@de-korte.org> 2012-04-16 20:17:04 UTC --- Created an attachment (id=486319) --> (http://bugzilla.novell.com/attachment.cgi?id=486319) Stripped audit.log file User information stripped -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c6 --- Comment #6 from Arjen de Korte <suse+build@de-korte.org> 2012-04-17 12:42:35 UTC --- (In reply to comment #2)
It might look so at the first view, but for various reasons bundling them in the apparmor-profiles package is the easier to handle solution. (One of the reasons is that all profiles come with the upstream AppArmor tarball.)
That may be a disaster waiting to happen. This means that if a patch is released for a security problem in Dovecot, there is no guarantee whatsoever that the AppArmor profiles will be updated if necessary. Apparently, apparmor-profiles is not part of the release process of a package (otherwise the missing Dovecot 2.0 profiles would have been spotted earlier on). I have been blissfully unaware of this so far, but now I'm starting to doubt if the added security AppArmor provides, is worth the risk of breaking the package it is supposed to protect. I've already seen several occasions in the past few months, where Dovecot stopped working because of insufficient rights granted to it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c7 Bruno Friedmann <bruno@ioda-net.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bruno@ioda-net.ch Severity|Enhancement |Normal --- Comment #7 from Bruno Friedmann <bruno@ioda-net.ch> 2012-05-09 16:26:57 UTC --- Apparmor dovecot profile are wrong and block dovecot2 on 11.4 & 12.1 type=AVC msg=audit(1336580068.252:123): apparmor="DENIED" operation="exec" parent=20936 profile="/usr/sbin/dovecot" name="/usr/bin/doveconf" pid=20937 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Fix or remove -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c8 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #486318|0 |1 is obsolete| | Attachment #486319|0 |1 is obsolete| | --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> 2012-05-09 20:42:50 CEST --- Created an attachment (id=490188) --> (http://bugzilla.novell.com/attachment.cgi?id=490188) test profiles - in complain mode This tarball contains a set of dovecot profiles based on Arjan's audit.log. Arjen, compared to your profiles I did some things different - for example, I did not use "ix". Instead, I used Px for nearly everything. The only exception is /usr/bin/doveconf which is included with Cx (child profile). Maybe I'll change this later, but for now I prefer to have it clearly separated so that I can tell which binary requires a permission. Note that all profiles are in _complain mode_. This means they will not block/deny anything (in other words: they don't protect you), but they'll log everything they _would_ block to /var/log/audit/audit.log. Please - copy the profiles in the tarball to /etc/apparmor.d/ - copy local/* from the tarball to /etc/apparmor.d/local/ only if those files don't exist (or if you are sure you want to overwrite existing files) - run "old /var/log/audit/audit.log ; rcaudit restart" to get a clean audit.log - run "rcapparmor reload" - stop and start dovecot - use dovecot for a while Then check if your audit.log. If it contains any dovecot-related entries, attach it to this bugreport. (You can of course strip private data, however I'd welcome consistent and useful replacements.) Again: Dovecot _will_ work because the profiles are in complain mode (= not enforced). Nevertheless audit.log will most probably contain some entries about additionally required permissions which are not covered by this set of profiles. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c9 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |bruno@ioda-net.ch --- Comment #9 from Christian Boltz <suse-beta@cboltz.de> 2012-05-09 20:58:00 CEST --- Bruno and Arjen, can you please test the profiles from the previous comment and provide feedback (and your audit.log)? (In reply to comment #6)
That may be a disaster waiting to happen. This means that if a patch is released for a security problem in Dovecot, there is no guarantee whatsoever that the AppArmor profiles will be updated if necessary. Apparently, apparmor-profiles is not part of the release process of a package (otherwise the missing Dovecot 2.0 profiles would have been spotted earlier on).
Technically, they are separate packages, yes. OTOH I doubt that having them in the same package would change much. The real issue is _testing_, which some package maintainers obviously don't do too much. I'm also testing as much as possible, but I can't test all profiles myself.
I have been blissfully unaware of this so far, but now I'm starting to doubt if the added security AppArmor provides, is worth the risk of breaking the package it is supposed to protect.
I'd say yes. You'll notice it quickly if a package is "broken" by AppArmor, but it might take some time (worst case: some days or even weeks) to notice if you were hacked if the hacker knows how to hide himself. Besides that, updating the AppArmor profile is much easier than cleaning up behind a hacker ;-)
I've already seen several occasions in the past few months, where Dovecot stopped working because of insufficient rights granted to it.
Then I could argue that you were late with your bugreport ;-) but the good thing is that you reported it. We are on the way to get it fixed :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c10 Arjen de Korte <suse+build@de-korte.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|bruno@ioda-net.ch | --- Comment #10 from Arjen de Korte <suse+build@de-korte.org> 2012-05-11 11:38:25 UTC --- Created an attachment (id=490501) --> (http://bugzilla.novell.com/attachment.cgi?id=490501) Stripped audit.log file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c11 --- Comment #11 from Arjen de Korte <suse+build@de-korte.org> 2012-05-11 13:36:24 UTC --- After setting the profiles to 'enforce' mode, dovecot failed to start. I couldn't get the thing to work again. Even after a couple of rounds of setting back to 'complain' mode and running 'aa-logprof'. I'm done with AppArmor. In a system where dovecot is mainly serving a webmail through localhost, it really isn't worth the trouble for me trying to get the profiles up-to-date. Sadly there is no way to exclude the dovecot profiles and keep the others, so I have removed AppArmor now (the lack of granularity here is a showstopper for me). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c12 --- Comment #12 from Christian Boltz <suse-beta@cboltz.de> 2012-05-11 20:02:59 CEST --- (In reply to comment #11)
After setting the profiles to 'enforce' mode, dovecot failed to start. I couldn't get the thing to work again. Even after a couple of rounds of setting back to 'complain' mode and running 'aa-logprof'.
I'll check the audit.log - thanks for providing it.
I'm done with AppArmor. In a system where dovecot is mainly serving a webmail through localhost, it really isn't worth the trouble for me trying to get the profiles up-to-date.
OK, this limits the number of possible attackers ;-)
Sadly there is no way to exclude the dovecot profiles and keep the others, so I have removed AppArmor now (the lack of granularity here is a showstopper for me).
There is a way: run aa-disable /usr/sbin/dovecot or if you want to disable all dovecot-related profiles cd /etc/apparmor.d && aa-disable *dove* This will create a symlink in /etc/apparmor.d/disable which prevents loading of the profile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757271 https://bugzilla.novell.com/show_bug.cgi?id=757271#c13 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE --- Comment #13 from Christian Boltz <suse-beta@cboltz.de> 2013-11-28 23:54:06 CET --- Sorry for the long delay! There's a newer bug which contains better profiles. I just checked your log, and everything it contains should be covered by the latest profiles. *** This bug has been marked as a duplicate of bug 851984 *** http://bugzilla.novell.com/show_bug.cgi?id=851984 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com