[Bug 755923] New: aa-logconf doesn't seem to pickup difference between inet and inet6 streams
https://bugzilla.novell.com/show_bug.cgi?id=755923 https://bugzilla.novell.com/show_bug.cgi?id=755923#c0 Summary: aa-logconf doesn't seem to pickup difference between inet and inet6 streams Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: openSUSE 12.1 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: suse+build@de-korte.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 I had some trouble with the AppArmor profiles for Dovecot. After running aa-complain /usr/lib/dovecot/imap-login for a while, aa-logprof failed to create a working profile. The relevant lines from /var/log/audit/audit.log indicated many instances of the following variety: type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6 After running aa-logconf, the profile did contain the line network inet stream, but what actually was needed was network inet6 stream, After adding this to the profile, everything works. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=755923
https://bugzilla.novell.com/show_bug.cgi?id=755923#c1
--- Comment #1 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=755923
https://bugzilla.novell.com/show_bug.cgi?id=755923#c2
--- Comment #2 from Arjen de Korte
The "network inet stream" is already in the packaged profile - in other words: it doesn't count ;-)
Fair enough.
The problem is caused by a change in the logging format. See the upstream bugreport https://bugs.launchpad.net/apparmor/+bug/800826 (just tested - logprof works if you delete the "lport=143" part)
Ouch! That's over 9 months old already. Any chance of fixing this?
Independent from that - are there other dovecot-related profiles that need an inet6 rule added? I'd guess usr.lib.dovecot.managesieve-login could need it - at least it already contains an inet rule.
I don't know, but I guess one would need this if using IPv6 to connect. Updates to sieve scripts on my system oddly enough will use 127.0.0.1, so these will be allowed by the existing rule. However, updating still fails: Apr 5 23:08:34 mail dovecot: managesieve-login: Login: user=<arjen>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=9319, secured Apr 5 23:08:34 mail dovecot: managesieve(arjen): Error: sieve-storage: open(/home/arjen/sieve/tmp/ingo-1333660114.M954214P9319.mail.sieve) failed: Permission denied Apr 5 23:08:35 mail dovecot: managesieve(arjen): Connection closed bytes=7979/489 I can make this work again by running /usr/sbin/dovecot in complain mode, but strangely enough this doesn't log anything in /var/log/audit/audit.log. But this is probably unrelated and will be something in the profile for /usr/sbin/dovecot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=755923
https://bugzilla.novell.com/show_bug.cgi?id=755923#c3
Christian Boltz
(In reply to comment #1)
The problem is caused by a change in the logging format. See the upstream bugreport https://bugs.launchpad.net/apparmor/+bug/800826
Ouch! That's over 9 months old already. Any chance of fixing this?
AFAIK Steve is working on a patch already, so there's hope ;-)
Independent from that - are there other dovecot-related profiles that need an inet6 rule added? I'd guess usr.lib.dovecot.managesieve-login could need it - at least it already contains an inet rule.
I don't know, but I guess one would need this if using IPv6 to connect. Updates to sieve scripts on my system oddly enough will use 127.0.0.1,
Not ::1 ? ;-) Seriously: allowing IPv6 isn't a big risk IMHO, so I'll propose it upstream.
However, updating still fails:
open(/home/arjen/sieve/tmp/ingo-1333660114.M954214P9319.mail.sieve) failed: Permission denied
I can make this work again by running /usr/sbin/dovecot in complain mode, but strangely enough this doesn't log anything in /var/log/audit/audit.log.
Indeed, that sounds really strange. What happens if you add /home/arjen/sieve/tmp/*.mail.sieve rw, to your dovecot profile and switch it back to enforce mode? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=755923
https://bugzilla.novell.com/show_bug.cgi?id=755923#c4
--- Comment #4 from Arjen de Korte
Indeed, that sounds really strange.
I found problem with aa-logprof failing to update the profile. It gets confused if you keep your backup copies in the same directory (which is understandable). After moving them out of the way, it worked as expected. :-)
What happens if you add /home/arjen/sieve/tmp/*.mail.sieve rw, to your dovecot profile and switch it back to enforce mode?
That almost worked. :-) I added /home/*/*.sieve rw, /home/*/sieve/*.sieve w, /home/*/sieve/tmp/*.sieve rw, and after that, I could update my sieve scripts again. But where sieve scripts are stored is probably going to be pretty site-specific, so I don't think this will be worth adding to the default profile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=755923
https://bugzilla.novell.com/show_bug.cgi?id=755923#c5
Christian Boltz
I added
/home/*/*.sieve rw, /home/*/sieve/*.sieve w, /home/*/sieve/tmp/*.sieve rw,
and after that, I could update my sieve scripts again. But where sieve scripts are stored is probably going to be pretty site-specific, so I don't think this will be worth adding to the default profile.
Indeed, that makes things interesting[tm] ;-) FYI: the main bug is fixed upstream (bzr r2022). I also added the patch in home:cboltz (currently building) and will forward it to security:apparmor if it works as expected. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=755923
https://bugzilla.novell.com/show_bug.cgi?id=755923#c6
--- Comment #6 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=755923
https://bugzilla.novell.com/show_bug.cgi?id=755923#c7
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com