[Bug 1166007] New: dovecot -> master: Fatal: execv(/usr/lib/dovecot/script-login) failed: Permission denied
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 Bug ID: 1166007 Summary: dovecot -> master: Fatal: execv(/usr/lib/dovecot/script-login) failed: Permission denied Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Factory Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: opensuse@mike.franken.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Dovecot is up and running, but after activating post-login scripting according to https://wiki2.dovecot.org/PostLoginScripting I get several errors from dovecot: --------------------------------------------------------------------------- dovecot[17836]: master: Fatal: execv(/usr/lib/dovecot/script-login) failed: Permission denied dovecot[17833]: master: Error: service(imap-postlogin): command startup failed, throttling for 60 secs dovecot[17836]: imap-postlogin: Fatal: master: service(imap-postlogin): child 18460 returned error 84 (exec() failed) dovecot[17836]: imap(<username>): Error: fd_read(/run/dovecot/imap-postlogin) failed: Connection reset by peer (connection created 59893 msecs ago, client created 59893 msecs ago: session=92VFKV2gysPAqAE+, rip=192.168.1.62, auth_pid=17850, client-pid=17992, client-id=1, post-login script /run/dovecot/imap-postlogin started 59892 msecs ago) dovecot[17836]: imap(<username>): Error: fd_read(/run/dovecot/imap-postlogin) failed: Connection reset by peer (connection created 29586 msecs ago, client created 29586 msecs ago: session=r9UTK12gVMTAqAE+, rip=192.168.1.62, auth_pid=17850, client-pid=18377, client-id=1, post-login script /run/dovecot/imap-postlogin started 29585 msecs ago) --------------------------------------------------------------------------- Excerpt from my audit.log: type=AVC msg=audit(1583697228.382:38487): apparmor="DENIED" operation="exec" profile="dovecot" name="/usr/lib/dovecot/script-login" pid=19176 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 After having deactivated apparmor, dovecot runs without spitting error messages. This is, what I added to /etc/dovecot/conf.d/10-master.conf: service imap { executable = imap imap-postlogin } service imap-postlogin { executable = script-login /usr/local/bin/dovecot-postlogin.sh user = $default_internal_user unix_listener imap-postlogin { } } -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c1
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c2
--- Comment #2 from Michael Hirmke
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c3
--- Comment #3 from Christian Boltz
So I ran aa-logprof and got a new profile for usr.lib.dovecot.script-login, not for /usr/local/bin/dovecot-postlogin.sh. Did you mix up the two?
Indeed - I focused too much on what you wrote, and not enough on reading the audit.log message ;-) This also somewhat changes my opinion to mark this as wontfix - it might become a "partial fix". Executing /usr/lib/dovecot/script-login from dovecot {c,sh}ould be allowed in the profile, but the profile for script-login will obviously have to stay incomplete because everybody will run a different script. So - if you have created separate profiles for /usr/lib/dovecot/script-login and your actual post-login script, I'd be interested to see them.
Besides that, running aa-complain wasn't necessary, aa-logprof already has set the flag.
Nevertheless, you should switch the profile to enforce mode.
Thx for pointing me into the right direction!
You are welcome ;-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c4
--- Comment #4 from Michael Hirmke
So - if you have created separate profiles for /usr/lib/dovecot/script-login and your actual post-login script, I'd be interested to see them.
Hrmpf, too late 8-< For security reasons I decided to move my script to /home/vmail/bin. Owner/group for this directory are vmail.vmail, same for the script now. vmail is the user running the imap-postlogin service in my configuration. I then removed/resetted all the apparmor profiles, that have been newly created/altered after running aa-logprof. My intention was to let apparmor reread the audit.log after a while and recreate the profiles according to the new configuration. But no more errors occured after reloading apparmor profiles and restarting dovecot. So I don't have any new/altered profiles now - so sorry. One more question, though: I get an error message from the dovecot master process "master: Error: serivce(lmtp): kill(<pid>, SIGINT) failed: Operation not permitted" This happens, when the lmtp service should be killed after idle timeout. There seems to be no entry in the audit.log for this error. Isn't this an error caused by apparmor, then? TIA. Bye. Michael. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c5
--- Comment #5 from Christian Boltz
I get an error message from the dovecot master process "master: Error: serivce(lmtp): kill(<pid>, SIGINT) failed: Operation not permitted" This happens, when the lmtp service should be killed after idle timeout. There seems to be no entry in the audit.log for this error. Isn't this an error caused by apparmor, then?
It could be caused by AppArmor (maybe a missing "signal" rule), but in that case you should see an audit.log entry for it. (Looking at the profiles, sending a signal from /usr/sbin/dovecot to lmtp should already be allowed.) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c6
--- Comment #6 from Michael Hirmke
It could be caused by AppArmor (maybe a missing "signal" rule), but in that case you should see an audit.log entry for it. (Looking at the profiles, sending a signal from /usr/sbin/dovecot to lmtp should already be allowed.)
It was definitely PEBKAC 8-/ I've accidentally deleted usr.sbin.dovecot. After recovering it from backup everything now works without any error messages. Again: Thx a lot! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c7
--- Comment #7 from Michael Hirmke
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c8
--- Comment #8 from Michael Hirmke
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c9
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c10
--- Comment #10 from Michael Hirmke
Thanks for the updated profiles!
Let me summarize your changes:
usr.sbin.dovecot: + /usr/lib/dovecot/script-login Px,
Makes sense.
Ok.
usr.lib.dovecot.managesieve: - network inet6 stream, - network inet stream, + #include
abstractions/nameservice allows a lot, do you remember why it was proposed? (If you still have the audit.log, grep for "managesieve" and attach the result.)
See attachement.
usr.lib.dovecot.script-login: That's the profile you created, unfortunately in a way that won't be accepted upstream. The problem is /home/vmware/forest-hirmke.de/msex/vmail/bin/postlogin.sh mrix, which means several things your postlogin.sh script does went into the script-login profile.
Can you please re-create the script-login profile from scratch, but with a separate profile (Px) for postlogin.sh? That should also move most permissions out of the script-login profile.
Can do that, but the path is a somewhat temporary path. It is included, because I'm in transition from MS Exchange to Dovecot and wanted to use the remaining space on that RAID for Dovecot, too. In the future, the disk will get mounted to /home/vmail directly, so that only this path will occur in the profiles.
Or provide your audit.log and let me do it ;-)
See second attachement.
usr.bin.cut usr.bin.echo usr.bin.pwd
I'd recommend not to have standalone profiles for these helpers - better create a child profile (Cx) or use inherit (ix). At least for "cut", having a standalone profile might cause trouble when another script uses cut with a filename as parameter - your profile doesn't allow to read any files.
I'm really new to appamor - never had to do anything with it. So I had no clue, what aa-logprof really created - and why 8-< Because it is a home environment with only two users, I even deactivated apparmor in the past. Thx! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c11
--- Comment #11 from Michael Hirmke
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c12
--- Comment #12 from Michael Hirmke
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c13
--- Comment #13 from Michael Hirmke
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c14
Michael Hirmke
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c15
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c16
Christian Boltz
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com