[Bug 1069470] New: Dovecot fails to start after upgrade to Tumbleweed 20171120
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 Bug ID: 1069470 Summary: Dovecot fails to start after upgrade to Tumbleweed 20171120 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: freek@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- dovecot fails to start with the following error messages: nov 22 14:43:40 eiktum auth[11418]: pam_kwallet5: Couldn't create directory: /home/freek/.local/share because: 13-Permission denied nov 22 14:43:40 eiktum auth[11418]: pam_kwallet5: Couldn't open file: /home/freek/.local/share/kwalletd/kdewallet.salt because: 13-Permission denied nov 22 14:43:40 eiktum auth[11418]: pam_kwallet5-kwalletd: Couldn't create or read the salt file nov 22 14:43:40 eiktum auth[11418]: pam_kwallet5(dovecot:auth): pam_kwallet5: Fail into creating the hash
ls -ld /home/freek/.local/share drwxr-xr-x 68 freek users 4096 16 nov 16:44 /home/freek/.local/share ls -l /home/freek/.local/share/kwalletd/kdewallet.salt -rw------- 1 freek users 56 18 feb 2015 /home/freek/.local/share/kwalletd/kdewallet.salt
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c1 --- Comment #1 from Freek de Kruijf <freek@opensuse.org> --- type=AVC msg=audit(1511434154.026:50): apparmor="DENIED" operation="mknod" profile="/usr/sbin/nscd" name="/var/lib/nscd/passwd" pid=1068 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1511434154.026:51): apparmor="DENIED" operation="mknod" profile="/usr/sbin/nscd" name="/var/lib/nscd/group" pid=1068 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1511434154.026:52): apparmor="DENIED" operation="mknod" profile="/usr/sbin/nscd" name="/var/lib/nscd/services" pid=1068 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1511434154.026:53): apparmor="DENIED" operation="mknod" After a reboot and making a connection with kmail to dovecot on the same system, the following messages appear in /var/log/audit/audit.log : profile="/usr/sbin/nscd" name="/var/lib/nscd/netgroup" pid=1068 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1511435158.225:52): apparmor="DENIED" operation="mknod" profile="/usr/sbin/nscd" name="/var/lib/nscd/passwd" pid=1112 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1511435158.225:53): apparmor="DENIED" operation="mknod" profile="/usr/sbin/nscd" name="/var/lib/nscd/group" pid=1112 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1511435158.225:54): apparmor="DENIED" operation="mknod" profile="/usr/sbin/nscd" name="/var/lib/nscd/services" pid=1112 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1511435158.225:55): apparmor="DENIED" operation="mknod" profile="/usr/sbin/nscd" name="/var/lib/nscd/netgroup" pid=1112 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1511435306.574:92): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/auth" pid=3110 comm="auth" capability=2 capname="dac_read_search" type=AVC msg=audit(1511435306.574:93): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/auth" pid=3110 comm="auth" capability=1 capname="dac_override" type=AVC msg=audit(1511435306.882:96): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/auth" pid=3110 comm="auth" capability=2 capname="dac_read_search" type=AVC msg=audit(1511435306.882:97): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/auth" pid=3110 comm="auth" capability=1 capname="dac_override" Now I still have access to the email messages via dovecot in contrary to yesterday when I made the first bug report, when I could not access the messages. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 Freek de Kruijf <freek@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Dovecot fails to start |Dovecot fails to starts |after upgrade to Tumbleweed |with error messages |20171120 |Tumbleweed 20171120, DENIED | |in /var/log/audit/audit.log -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c2 --- Comment #2 from Freek de Kruijf <freek@opensuse.org> --- The error messages in /var/log/audit/audit.log also show DENIED for files /var/lib/nscd/passwd, /var/lib/nscd/group, /var/lib/nscd/services, and /var/lib/nscd/netgroup These files do not exist, which may explain this. Strange fact, they are present in nscd package. # rpm -ql nscd /etc/nscd.conf /run/nscd /run/nscd/nscd.pid /run/nscd/socket /usr/lib/systemd/system/nscd.service /usr/lib/tmpfiles.d /usr/lib/tmpfiles.d/nscd.conf /usr/sbin/nscd /usr/sbin/rcnscd /var/lib/nscd /var/lib/nscd/group /var/lib/nscd/hosts /var/lib/nscd/netgroup /var/lib/nscd/passwd /var/lib/nscd/services Forcing nscd to be installed again does not create the files. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c3 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de Component|Network |AppArmor Assignee|bnc-team-screening@forge.pr |suse-beta@cboltz.de |ovo.novell.com | --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- The nscd profile allows reading and writing the /var/lib/nscd/ files you mentioned (and does so since a long time IIRC), therefore I'm surprised why you get denials for them. Can you please check if you have some *.rpmnew files in /etc/apparmor.d/ ? For the dovecot issues, please edit /etc/apparmor.d/usr.lib.dovecot.auth and add the following two lines: capability dac_read_search, capability dac_override, (You can instead add them to /etc/apparmor.d/local/usr.lib.dovecot.auth if you prefer not to edit rpm-managed files.) Afterwards, run rcapparmor reload to reload all profiles. Note to myself: /var/spool/postfix/private/ (postfix:root 700) might be the reason for dac_read_search, and /run/dovecot/auth-worker (dovecot:root 600) is probably a reason for dac_override. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c4 --- Comment #4 from Freek de Kruijf <freek@opensuse.org> --- (In reply to Christian Boltz from comment #3)
The nscd profile allows reading and writing the /var/lib/nscd/ files you mentioned (and does so since a long time IIRC), therefore I'm surprised why you get denials for them.
Can you please check if you have some *.rpmnew files in /etc/apparmor.d/ ?
No I do not have these files. After a reboot just now I do not see these DENIED in the log file.
For the dovecot issues, please edit /etc/apparmor.d/usr.lib.dovecot.auth and add the following two lines:
capability dac_read_search, capability dac_override,
(You can instead add them to /etc/apparmor.d/local/usr.lib.dovecot.auth if you prefer not to edit rpm-managed files.)
Done
Afterwards, run rcapparmor reload to reload all profiles.
No DENIED since the last reboot.
Note to myself: /var/spool/postfix/private/ (postfix:root 700) might be the reason for dac_read_search, and /run/dovecot/auth-worker (dovecot:root 600) is probably a reason for dac_override.
Indeed these are the protection masks on this directory, respectively socket. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c5 --- Comment #5 from Freek de Kruijf <freek@opensuse.org> --- (In reply to Freek de Kruijf from comment #4)
(In reply to Christian Boltz from comment #3)
The ncsd and dovecot messages are gone now. However I still have messages from auth caused by dovecot, also in output of "journalctl -f -u dovecot" about not being able to access kwalletd files. No message caused by apparmor. The messages are: nov 25 12:03:08 eiktum auth[6627]: pam_kwallet5(dovecot:auth): pam_kwallet5: Fail into creating the hash nov 25 12:03:08 eiktum dovecot[2008]: imap-login: Login: user=<freek>, method=PLAIN, rip=::1, lip=::1, mpid=6629, secured, session=<0QdHncxeqqEAAAAAAAAAAAAAAAAAAAAB> nov 25 12:04:09 eiktum dovecot[1640]: master: Error: service(auth): kill(3207, SIGINT) failed: Permission denied nov 25 12:05:10 eiktum dovecot[1640]: master: Error: service(auth): Process 3207 is ignoring idle SIGINT I get these message when I access messages via IMAP. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c6 --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Freek de Kruijf from comment #5)
nov 25 12:03:08 eiktum auth[6627]: pam_kwallet5(dovecot:auth): pam_kwallet5: Fail into creating the hash
I'm not sure what kwallet tells you with this error message, but it's probably unrelated (I'd _guess_ it happens when fetching the password from the wallet, before using it for imap login)
nov 25 12:03:08 eiktum dovecot[2008]: imap-login: Login: user=<freek>, method=PLAIN, rip=::1, lip=::1, mpid=6629, secured, session=<0QdHncxeqqEAAAAAAAAAAAAAAAAAAAAB>
That looks like a successful imap login.
nov 25 12:04:09 eiktum dovecot[1640]: master: Error: service(auth): kill(3207, SIGINT) failed: Permission denied
Might be a missing signal rule, but (assuming my guess is right) you should see DENIED messages for it in audit.log. If you see this again, please check (using ps Zaux) which process is running under the mentioned pid (3207 in your log line). Hmm, maybe you hit bug 1069562. The kernel with the fix is currently building in Kernel:HEAD - feel free to test as soon as 4.14.2 appears on http://download.opensuse.org/repositories/Kernel:/HEAD/standard/ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c7 --- Comment #7 from Freek de Kruijf <freek@opensuse.org> --- (In reply to Christian Boltz from comment #6)
(In reply to Freek de Kruijf from comment #5)
nov 25 12:03:08 eiktum auth[6627]: pam_kwallet5(dovecot:auth): pam_kwallet5: Fail into creating the hash
I'm not sure what kwallet tells you with this error message, but it's probably unrelated (I'd _guess_ it happens when fetching the password from the wallet, before using it for imap login)
nov 25 12:03:08 eiktum dovecot[2008]: imap-login: Login: user=<freek>, method=PLAIN, rip=::1, lip=::1, mpid=6629, secured, session=<0QdHncxeqqEAAAAAAAAAAAAAAAAAAAAB>
That looks like a successful imap login.
It is. I can access the messages through the IMAP server.
nov 25 12:04:09 eiktum dovecot[1640]: master: Error: service(auth): kill(3207, SIGINT) failed: Permission denied
Might be a missing signal rule, but (assuming my guess is right) you should see DENIED messages for it in audit.log.
No. I don't see such messages. The last one is from: eiktum:~ # grep DENIED /var/log/audit/audit.log | tail -2 type=AVC msg=audit(1511437681.649:111): apparmor="DENIED" operation="mknod" profile="/usr/sbin/nscd" name="/var/lib/nscd/passwd" pid=5055 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Binair bestand /var/log/audit/audit.log bevat de gezochte tekst. eiktum:~ # date --date='@1511437681.649' do 23 nov 2017 12:48:01 CET eiktum:~ #
If you see this again, please check (using ps Zaux) which process is running under the mentioned pid (3207 in your log line).
Hmm, maybe you hit bug 1069562. The kernel with the fix is currently building in Kernel:HEAD - feel free to test as soon as 4.14.2 appears on http://download.opensuse.org/repositories/Kernel:/HEAD/standard/
Will wait for 4.14.2. Already quite some time, after login, I do not get a prompt for the password of kwallet, which stores the passwords for my IMAP accounts. I simply have access. This may be related! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c8 --- Comment #8 from Freek de Kruijf <freek@opensuse.org> --- I started a completely new instance of Tumbleweed with copies of configuration files of my older instance. In this version I have DENIED lines in /var/log/audit/audit.log like the following: type=AVC msg=audit(1511788972.455:92): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=1750 comm="dovecot" requested_mask="send" denied_mask="send" signal=rtmin+772495128 peer="/usr/lib/dovecot/ssl-params" type=AVC msg=audit(1511788972.763:93): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=1750 comm="dovecot" requested_mask="send" denied_mask="send" signal=rtmin+745525016 peer="/usr/lib/dovecot/auth" type=AVC msg=audit(1511793889.785:175): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=1750 comm="dovecot" requested_mask="send" denied_mask="send" signal=rtmin+772495128 peer="/usr/lib/dovecot/ssl-params" type=AVC msg=audit(1511793890.617:176): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=1750 comm="dovecot" requested_mask="send" denied_mask="send" signal=rtmin+745525016 peer="/usr/lib/dovecot/auth" type=AVC msg=audit(1511799100.748:51): apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=1713 comm="dovecot" capability=2 capname="dac_read_search" type=AVC msg=audit(1511812782.369:123): apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=11831 comm="dovecot" capability=2 capname="dac_read_search" type=AVC msg=audit(1511812930.757:129): apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=11925 comm="dovecot" capability=2 capname="dac_read_search" I did create the file /etc/apparmor.d/local/usr.lib.dovecot.auth like below: # more /etc/apparmor.d/local/usr.lib.dovecot.auth # Site-specific additions and overrides for 'usr.lib.dovecot.auth' capability dac_read_search, capability dac_override, -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c9 --- Comment #9 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Freek de Kruijf from comment #8)
type=AVC msg=audit(1511788972.455:92): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=1750 comm="dovecot" requested_mask="send" denied_mask="send" signal=rtmin+772495128 peer="/usr/lib/dovecot/ssl-params"
rtmin+772495128 looks strange and wrong - AFAIK the kernel supports rtmin+32..rtmin+64. Which kernel version do you use? As I already mentioned in a previous comment, 4.14.0 and 4.14.1 have a known bug, so please use 4.14.2 (from Kernel:HEAD until it reaches Tumbleweed). I wouldn't be surprised if you have the broken kernel, and this is a side effect of that bug. (Nevertheless, the dovecot profile might need some signal rules added - but for sure not for rtmin+772495128 ;-)
type=AVC msg=audit(1511799100.748:51): apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=1713 comm="dovecot" capability=2 capname="dac_read_search"
That means the dovecot profile (/etc/apparmor.d/local/usr.sbin.dovecot) needs (probably because /var/spool/postfix/private/ is postfix:root 700) capability dac_read_search, -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c10 --- Comment #10 from Freek de Kruijf <freek@opensuse.org> --- (In reply to Christian Boltz from comment #9)
(In reply to Freek de Kruijf from comment #8) Which kernel version do you use?
As I already mentioned in a previous comment, 4.14.0 and 4.14.1 have a known bug, so please use 4.14.2 (from Kernel:HEAD until it reaches Tumbleweed).
I wouldn't be surprised if you have the broken kernel, and this is a side effect of that bug. (Nevertheless, the dovecot profile might need some signal rules added - but for sure not for rtmin+772495128 ;-)
I now have 4.14.2 running and DENIED messages are gone. Although I also have: eiktum: # more /etc/apparmor.d/local/usr.sbin.dovecot # Site-specific additions and overrides for 'usr.sbin.dovecot' capability dac_read_search, # capability dac_override, like you suggested below.
type=AVC msg=audit(1511799100.748:51): apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=1713 comm="dovecot" capability=2 capname="dac_read_search"
That means the dovecot profile (/etc/apparmor.d/local/usr.sbin.dovecot) needs (probably because /var/spool/postfix/private/ is postfix:root 700) capability dac_read_search,
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c11 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #11 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Freek de Kruijf from comment #10)
I now have 4.14.2 running and DENIED messages are gone.
I'm happy to hear that :-) For the records: I commited the dovecot/auth capabilities upstream yesterday, and just submitted the patch for usr.sbin.dovecot. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c13 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #13 from Christian Boltz <suse-beta@cboltz.de> --- The updated profiles are included in AppArmor 2.12 which reached Tumbleweed some days ago. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com