[Bug 1099764] New: Apparmor dovecot profile does not match the /usr/share/doc/packages/dovecot/README.SUSE
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764 Bug ID: 1099764 Summary: Apparmor dovecot profile does not match the /usr/share/doc/packages/dovecot/README.SUSE Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: chevy.stroker@yahoo.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The /usr/share/doc/packages/dovecot/mkcert.sh script places the created certificates in /etc/ssl/private/. Per the /usr/share/doc/packages/dovecot/README.SUSE so you don't have to read it: The script and documentation is now patched to use the following paths: /etc/ssl/private/dovecot.crt /etc/ssl/private/dovecot.pem None of the usr.lib.dovecot.* file give /etc/ssl/private/* r, to dovecot. I would recommend placing that line in /etc/apparmor.d/usr.lib.dovecot.auth or modifying the script to place the files in something like /etc/dovecot/private. The 1st solution is a quicker fix. the 2nd solution is a more secure restriction around dovecot. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764#c1
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764#c2
David Chewning
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764#c3
--- Comment #3 from David Chewning
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764
http://bugzilla.opensuse.org/show_bug.cgi?id=1099764#c4
Christian Boltz
Here is where things break and /usr/share/doc/packages/dovecot/README.SUSE seems to be incorrect. 1. Instructed to edit /usr/share/doc/packages/dovecot/dovecot-openssl.cnf - Completed.
Having to edit a file in /usr/ doesn't sound like the best idea ;-) When you report the other issues for README.SUSE, you should probably also add a note about this detail.
[...] The individuals complaining about a permission error seemed to be running up against an Apparrmor issue since they were placing their cert/key in /etc/postfix.
Right, that obviously isn't allowed in the dovecot profiles.
On looking at Apparmor I did not find the reference to /etc/ss/private (my grep -R must have failed me).
See my previous comment - the rule says /etc/ssl/**, so you won't find "private" in it.
Apologies for reporting the wrong issue, but there does appear to be a documented steps issue in /usr/share/doc/packages/dovecot/README.SUSE which maybe easier to fix.
No worries - I prefer a superfluous bugreport over having something unnoticed. And, as a side effect, you probably learned something ;-) I'll close this bugreport - in theory, you could move it to the dovecot maintainer to get README.SUSE fixed, but opening a new bugreport (you can even do some copy&paste) makes things less confusing ;-) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com