[Bug 851984] New: After update (zypper dup) AppArmor profiles for dovecot have to be manually removed to make dovecot work
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c0 Summary: After update (zypper dup) AppArmor profiles for dovecot have to be manually removed to make dovecot work Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Minor Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: lukrez.forums@gmx.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 After having upgraded from 12.3 to 13.1 using the "System Upgrade" method described in <http://en.opensuse.org/SDB:System_upgrade>, I noticed, that dovecot was not available, as it failed to start successfully. The journal gave me this: Nov 22 15:21:29 odysseus systemd[1]: Starting Dovecot IMAP/POP3 email server... Nov 22 15:21:29 odysseus systemd[1]: Started Dovecot IMAP/POP3 email server. Nov 22 15:21:29 odysseus systemd[1]: dovecot.service: main process exited, code=exited, status=84/n/a Nov 22 15:21:29 odysseus systemd[1]: Unit dovecot.service entered failed state. Nov 22 15:21:29 odysseus kernel: type=1400 audit(1385130089.675:34): apparmor="DENIED" operation="exec" parent=1 profile="/usr/sbin/dovecot" name="/usr/bin/doveconf" pid=8779 comm="dovecot" requested_mask="x" denied_..."x" fsuid=0 ouid=0 Nov 22 15:21:29 odysseus dovecot[8779]: Fatal: execv(/usr/bin/doveconf) failed: Permission denied which hinted me at AppArmor denying access to "doveconf". Using the appropriate YaST section, I removed all profiles referring to dovecot. After that, dovecot started and worked as expected. I wondered whether reinstalling the AppArmor profiles would break dovecot again and tried: zypper in -f apparmor-profiles and after that systemctl restart dovecot.service With the fresh profiles from the repository, dovecot still works. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c1 --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> 2013-11-23 14:20:24 CET --- (In reply to comment #1)
which hinted me at AppArmor denying access to "doveconf". Using the appropriate YaST section, I removed all profiles referring to dovecot. After that, dovecot started and worked as expected. I wondered whether reinstalling the AppArmor profiles would break dovecot again and tried:
zypper in -f apparmor-profiles
and after that
systemctl restart dovecot.service
With the fresh profiles from the repository, dovecot still works.
Do you have any *.rpmnew or *.rpmorig in /etc/apparmor.d/ ? That would explain why deleting and re-installing the dovecot profiles worked. BTW: Did you reload the profiles after re-installing the apparmor-profiles package ("rcapparmor reload")? IIRC the package doesn't do that automatically. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c2 --- Comment #2 from Franz Häuslschmid <lukrez.forums@gmx.net> 2013-11-23 14:59:22 UTC --- (In reply to comment #1)
(In reply to comment #1)
which hinted me at AppArmor denying access to "doveconf". Using the appropriate YaST section, I removed all profiles referring to dovecot. After that, dovecot started and worked as expected. I wondered whether reinstalling the AppArmor profiles would break dovecot again and tried:
zypper in -f apparmor-profiles
and after that
systemctl restart dovecot.service
With the fresh profiles from the repository, dovecot still works.
Do you have any *.rpmnew or *.rpmorig in /etc/apparmor.d/ ? That would explain why deleting and re-installing the dovecot profiles worked.
BTW: Did you reload the profiles after re-installing the apparmor-profiles package ("rcapparmor reload")? IIRC the package doesn't do that automatically.
Thank you for your comment. I did actually not reload the profiles explicitly and had to discover that my "solution" to reinstall the profiles, would have prevented dovecot from working on the next reboot. For me, the AppArmor profiles for dovecot in 13.1 are not working. Now I have removed again the profiles concerning dovecot and it works again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c3 --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> 2013-11-23 23:20:29 CET --- Created an attachment (id=568826) --> (http://bugzilla.novell.com/attachment.cgi?id=568826) profiles for dovecot2 (probably not complete) (In reply to comment #2)
I did actually not reload the profiles explicitly and had to discover that my "solution" to reinstall the profiles, would have prevented dovecot from working on the next reboot.
OK, at least now I know that the profile really needs an update. After checking the bzr log, that's not too surprising - the last change was two years ago, and the profile is probably only working for dovecot 1.x. The attached tarball contains profiles I use for dovecot 2.x. They are probably not complete yet (that's also the reason why I didn't commit them yet), but might be better than the shipped profiles. Can you please install them in /etc/apparmor.d/ and switch them to complain mode (aa-complain /etc/apparmor.d/*dove*)? Complain mode will allow everything and log what the profiles would not allow. Then check your log for needed profile updates, and attach the log to this bugreport. "Log" can mean: - /var/log/audit/audit.log if auditd is running, otherwise - grep -i apparmor /var/log/messages if you have a syslog daemon running - journalctl | grep -i apparmor > log if you only log to journal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lukrez.forums@gmx.net -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c4 --- Comment #4 from Franz Häuslschmid <lukrez.forums@gmx.net> 2013-11-24 08:49:08 UTC --- Created an attachment (id=568829) --> (http://bugzilla.novell.com/attachment.cgi?id=568829) grep -i apparmor /var/log/messages Installed the profile files and reloaded AppArmor. After that, browsed partly through my mail tree on the IMAP server provided by dovecot. I didn't experience any problems. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c5 --- Comment #5 from Christian Boltz <suse-beta@cboltz.de> 2013-11-24 12:58:32 CET --- (In reply to comment #4)
Installed the profile files and reloaded AppArmor. After that, browsed partly through my mail tree on the IMAP server provided by dovecot. I didn't experience any problems.
That's because you switched the profiles to complain mode. Howewer, your log contains some apparmor="ALLOWED" events (which would have been blocked in enforce mode). You'll need the following profile additions/changes: --- usr.lib.dovecot.auth 2013-11-23 22:56:12.424309053 +0100 +++ usr.lib.dovecot.auth 2013-11-24 12:45:34.752229423 +0100 @@ -2,6 +2,7 @@ #include <tunables/global> /usr/lib/dovecot/auth { + #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/mysql> #include <abstractions/nameservice> --- usr.lib.dovecot.imap 2013-10-21 12:23:09.000000000 +0200 +++ usr.lib.dovecot.imap 2013-11-24 12:48:52.734597289 +0100 @@ -12,11 +12,11 @@ @{HOME}/Maildir/ rw, @{HOME}/Maildir/** klrw, @{HOME}/Mail/ rw, - @{HOME}/Mail/* klrw, + @{HOME}/Mail/** klrw, # * -> ** @{HOME}/Mail/.imap/** klrw, @{HOME}/mail/ rw, - @{HOME}/mail/* klrw, + @{HOME}/mail/** klrw, # * -> ** @{HOME}/mail/.imap/** klrw, /usr/lib/dovecot/imap mr, /var/mail/* klrw, - /var/spool/mail/* klrw, + /var/spool/mail/** klrw, # * -> ** If you notice more apparmor="ALLOWED" (or apparmor="DENIED") log events, please tell me ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c6 --- Comment #6 from Franz Häuslschmid <lukrez.forums@gmx.net> 2013-11-24 16:48:41 UTC --- (In reply to comment #5) [...]
If you notice more apparmor="ALLOWED" (or apparmor="DENIED") log events, please tell me ;-)
I appreciate your help and slowly, I start to understand AppArmor a little better. In fact, I still get a line like this: Nov 24 17:42:39 odysseus kernel: type=1400 audit(1385311359.970:754): apparmor="DENIED" operation="capable" parent=5160 profile="/usr/lib/dovecot/auth" pid=5209 comm="auth" pid=5209 comm="auth" capability=29 capname="audit_write" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c7 --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> 2013-11-24 20:43:45 CET --- (In reply to comment #6)
I appreciate your help and slowly, I start to understand AppArmor a little better.
:-) The openSUSE documentation about AppArmor is quite good (doc.opensuse.org -> Security Guide). For getting started, you can also have a look at my slides on http://blog.cboltz.de/archives/65-openSUSE-conference.html
Nov 24 17:42:39 odysseus kernel: type=1400 audit(1385311359.970:754): apparmor="DENIED" operation="capable" parent=5160 profile="/usr/lib/dovecot/auth" pid=5209 comm="auth" pid=5209 comm="auth" capability=29 capname="audit_write"
You need --- usr.lib.dovecot.auth 2013-11-24 12:45:34.752229423 +0100 +++usr.lib.dovecot.auth 2013-11-24 20:03:03.826563592 +0100 @@ -9,6 +9,7 @@ deny capability block_suspend, + capability audit_write, capability setgid, capability setuid, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c8 --- Comment #8 from Franz Häuslschmid <lukrez.forums@gmx.net> 2013-11-25 18:00:42 UTC --- Created an attachment (id=569014) --> (http://bugzilla.novell.com/attachment.cgi?id=569014) AppArmor configuration files for dovecot after modification Works for me now \o/ I attached my current set of configuration files for dovecot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c9 James Knott <james.knott@rogers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |james.knott@rogers.com --- Comment #9 from James Knott <james.knott@rogers.com> 2013-11-27 03:47:39 UTC --- I installed that working patch and while my dovecot server is running and I can connect to it, only the Inbox is available. I can't access any other folder. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c10 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|lukrez.forums@gmx.net |james.knott@rogers.com --- Comment #10 from Christian Boltz <suse-beta@cboltz.de> 2013-11-27 12:57:31 CET --- (In reply to comment #9)
I installed that working patch
Just to be sure - you mean the profiles from comment #8, right?
and while my dovecot server is running and I can connect to it, only the Inbox is available. I can't access any other folder.
If you provide the AppArmor log, I can give you a working profile ;-) You might also want to switch the profiles to complain mode (which means to allow everything and log what is missing from the profiles). Nevertheless, please provide the log ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c11 --- Comment #11 from James Knott <james.knott@rogers.com> 2013-11-27 12:57:59 UTC --- Where is that log? There's nothing in /var/log/apparmor? Changing the dovecot lines to complain worked and I now have access to my folders. BTW, there was one line "usr.lib.dovecot.deliver" that wouldn't change to complain. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c12 --- Comment #12 from Christian Boltz <suse-beta@cboltz.de> 2013-11-27 18:42:11 CET --- (In reply to comment #11)
Where is that log? There's nothing in /var/log/apparmor?
"Log" can mean: - /var/log/audit/audit.log if auditd is running, otherwise - grep -i apparmor /var/log/messages if you have a syslog daemon running - journalctl | grep -i apparmor > log if you only log to journal - dmesg | grep -i apparmor > log is another option, but lists only the most recent messages Sorry for listing that many options, but things are more interesting[tm] nowadays ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c13 --- Comment #13 from James Knott <james.knott@rogers.com> 2013-11-27 18:08:00 UTC --- Created an attachment (id=569377) --> (http://bugzilla.novell.com/attachment.cgi?id=569377) Output from grep -i apparmor /var/log/messages I have attached a text file of the relevant contents of /var/log/messages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c14 --- Comment #14 from Christian Boltz <suse-beta@cboltz.de> 2013-11-27 20:17:02 CET --- You have an unusual location for your mail (/home/imap/james.knott/mail/) which can't be covered by the default profile. You'll have to add /home/imap/** klrw, (that's the easiest way if /home/imap contains only mailboxes managed by dovecot) or the more strict /home/imap/*/mail/ rw, /home/imap/*/mail/** klrw, to the usr.lib.dovecot.imap profile (or, better, to local/usr.lib.dovecot.imap) (On the long time, I'll introduce a configuration option so that you have one place in AppArmor where you can set your mail directories.) If you still see AppArmor messages containing ALLOWED or DENIED after this change (and "rcapparmor reload"), please tell me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c15 --- Comment #15 from James Knott <james.knott@rogers.com> 2013-11-27 19:53:51 UTC --- Created an attachment (id=569391) --> (http://bugzilla.novell.com/attachment.cgi?id=569391) log file After making that change, I can no longer connect to the server. Also, I have been using that directory for years and it hasn't been a problem until now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c16 --- Comment #16 from Christian Boltz <suse-beta@cboltz.de> 2013-11-27 22:19:38 CET --- (In reply to comment #15)
After making that change, I can no longer connect to the server. Also, I have been using that directory for years and it hasn't been a problem until now.
Everything in your log should be covered by adding /home/imap/** klrw, to the (local/)usr.lib.dovecot.imap profile and running "rcapparmor reload", which I already recommended in my previous comment. Besides that, I don't see anything on the AppArmor side (and the profile is in complain mode, which means it doesn't block anything). What does the mail / dovecot log say about the problem? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c17 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse+build@de-korte.org --- Comment #17 from Christian Boltz <suse-beta@cboltz.de> 2013-11-28 23:54:06 CET --- *** Bug 757271 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=757271 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c18 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #568826|0 |1 is obsolete| | Attachment #568829|0 |1 is obsolete| | Attachment #569014|0 |1 is obsolete| | Attachment #569377|0 |1 is obsolete| | Attachment #569391|0 |1 is obsolete| | --- Comment #18 from Christian Boltz <suse-beta@cboltz.de> 2013-12-30 22:09:37 CET --- Created an attachment (id=573030) --> (http://bugzilla.novell.com/attachment.cgi?id=573030) updated set of profiles This tarball contains an updated set of dovecot profiles. It shouldn't have "real" changes over the last set of profiles, but got some cleanup. The most important change is the introduction of tunables/dovecot where you can set the directory you use as mailstore for all profiles. I'll include those profiles in the next update for 13.1 (and also factory, of course), so please test them and tell me if everything works. I'm also marking all older attachments as obsolete to make clear that this is the latest set of profiles, and that all logs attached to this bug until now were honored. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c19 flo gleixner <gleixner@lrz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gleixner@lrz.de --- Comment #19 from flo gleixner <gleixner@lrz.de> 2013-12-31 16:28:45 UTC --- (In reply to comment #18) Hi, i tried this profile, but still get errors trying to get dovecot running. Especially running doveconf fails: 2013-12-31T17:22:22.051520+01:00 hermes kernel: [1011678.000292] type=1400 audit(1388506942.049:1636): apparmor="DENIED" operation="exec" parent=11024 profile="/usr/bin/doveconf" name="/usr/lib/dovecot/managesieve" pid=11025 comm="doveconf" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 2013-12-31T17:22:22.052485+01:00 hermes kernel: [1011678.001198] type=1400 audit(1388506942.050:1637): apparmor="DENIED" operation="open" parent=20918 profile="/usr/bin/doveconf" name="/etc/dovecot/conf.d/" pid=11024 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I'm not yet familiar with apparmor, so i cannot deliver a patch atm. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c20 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|james.knott@rogers.com | --- Comment #20 from Christian Boltz <suse-beta@cboltz.de> 2013-12-31 19:14:37 CET --- (In reply to comment #19)
i tried this profile, but still get errors trying to get dovecot running. Especially running doveconf fails:
Hmm, that's interesting - especially because I don't have a stand-alone profile for doveconf in the tarball. Maybe it's a leftover from some earlier trials? (Anyway, please attach it so that I can see the content.)
I'm not yet familiar with apparmor, so i cannot deliver a patch atm.
Edit the doveconf profile (probably usr.bin.doveconf) and add /usr/lib/dovecot/managesieve Px, somewhere in the middle. As an alternative, run aa-logprof to update the profile in interactive mode. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c21 --- Comment #21 from flo gleixner <gleixner@lrz.de> 2014-01-01 09:54:24 UTC --- Yes, the doveconf profile was from my tries - but i didnt know the aa-logprof. doveconf and dovecot restart works now with this profile: ---snip--- #include <tunables/global> /usr/bin/doveconf { #include <abstractions/base> /etc/dovecot/conf.d/ r, /etc/dovecot/conf.d/* r, /etc/dovecot/dovecot.conf rw, /usr/bin/doveconf mr, /usr/lib/dovecot/managesieve Px, } ---snip--- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c22 --- Comment #22 from Franz Häuslschmid <lukrez.forums@gmx.net> 2014-01-01 10:39:17 UTC --- (In reply to comment #18)
Created an attachment (id=573030) --> (http://bugzilla.novell.com/attachment.cgi?id=573030) [details] updated set of profiles
Works for me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c23 --- Comment #23 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-01-02 15:00:20 CET --- This is an autogenerated message for OBS integration: This bug (851984) was mentioned in https://build.opensuse.org/request/show/212636 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c24 --- Comment #24 from flo gleixner <gleixner@lrz.de> 2014-01-02 18:49:48 UTC --- While trying to configure dovecot i got some more apparmor errors. I needed to add: In usr.lib.dovecot.dovecot-lda: /var/run/dovecot/mounts r, /proc/*/mounts r, In usr.lib.dovecot.auth /etc/krb5.keytab.mail rk, /var/tmp/imap_* rw, But the /etc/krb5.keytab.mail should probably go into tunables or can be omitted. I didn't want to use standard kerberos keytab /etc/krb5.keytab due to filesystem permissions - but i have to check if i can use standard keytab file somehow. I did only try to authenticate via imap. Probably /var/tmp/pop_* or smtp_* are needed too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c25 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lukrez.forums@gmx.net --- Comment #25 from Christian Boltz <suse-beta@cboltz.de> 2014-01-02 23:35:52 CET --- (In reply to comment #24)
In usr.lib.dovecot.dovecot-lda:
/var/run/dovecot/mounts r, /proc/*/mounts r,
Thanks, added.
In usr.lib.dovecot.auth
/etc/krb5.keytab.mail rk, /var/tmp/imap_* rw,
But the /etc/krb5.keytab.mail should probably go into tunables or can be omitted. I didn't want to use standard kerberos keytab /etc/krb5.keytab due to filesystem permissions
You can add such things to local/usr.lib.dovecot.auth ;-) (tunables/ is used for setting variables, see for example tunables/dovecot)
I did only try to authenticate via imap. Probably /var/tmp/pop_* or smtp_* are needed too.
Can you please test this and report back? I'm using MySQL auth (which doesn't need anything in /var/tmp/) and don't know anything about kerberos ;-) Additional question: does it still work if change /var/tmp/imap_* rw, to owner /var/tmp/imap_* rw, ? This will allow access only to files created by the same user, which is an additional safety net in directories like /var/tmp/ where everybody has write access ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c26 --- Comment #26 from flo gleixner <gleixner@lrz.de> 2014-01-03 00:50:31 UTC --- I tested pop and sieve kerberos logins, and we need: /var/tmp/pop_* rw, /var/tmp/sieve_* rw, I tested with "owner" prepended, but it did not work. I will try with smtp tomorrow, when i got postfix/dovecot-sasl with kerberos working. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c27 flo gleixner <gleixner@lrz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lukrez.forums@gmx.net | --- Comment #27 from flo gleixner <gleixner@lrz.de> 2014-01-04 03:19:51 UTC --- OK, tested with postfix and dovecot as sasl. We need /var/tmp/smtp_* rw, as expected. For your information, Its the kerberos replay cache: http://web.mit.edu/kerberos/krb5-current/doc/basic/rcache_def.html -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c28 --- Comment #28 from Christian Boltz <suse-beta@cboltz.de> 2014-01-04 13:12:59 CET --- (In reply to comment #27)
OK, tested with postfix and dovecot as sasl.
Thanks for the updates! Updated packages are just building in security:apparmor :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c29 --- Comment #29 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-01-04 14:00:23 CET --- This is an autogenerated message for OBS integration: This bug (851984) was mentioned in https://build.opensuse.org/request/show/212803 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c30 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #30 from Christian Boltz <suse-beta@cboltz.de> 2014-01-19 16:18:36 CET --- SR 214402 sent to openSUSE:13.1:Update -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851984 https://bugzilla.novell.com/show_bug.cgi?id=851984#c31 --- Comment #31 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-01-19 17:02:13 CET --- This is an autogenerated message for OBS integration: This bug (851984) was mentioned in https://build.opensuse.org/request/show/214402 13.1 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com