http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c1 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #1 from Christian Boltz --- That's not a surprise - you'll need to extend the AppArmor profile if you want to run custom scripts in/from dovecot. For your specific case, edit /etc/apparmor.d/local/usr.sbin.dovecot and allow to execute your postlogin script by adding this line: /usr/local/bin/dovecot-postlogin.sh mrUx, Then run rcapparmor reload to load the updated profile. Note that "Ux" means to run dovecot-postlogin.sh unconfined (without AppArmor restrictions). That's easy, but also the least secure variant. If you want a more secure solution, run aa-logprof to allow executing the postlogin script in "(P)rofile" mode (it will also create a minimum profile for the script). Put the profile for the script into complain (learning) mode: aa-complain /usr/local/bin/dovecot-postlogin.sh and use dovecot for a while. Then run aa-logprof again to complete theprofile, and finally switch it to enforce mode: aa-enforce /usr/local/bin/dovecot-postlogin.sh At this point, everything should work. (If you hit more denials, run aa-logprof again.) I'm afraid your requirement is too special for the official/shipped profile, therefore I'm closing this bug as "wontfix". I hope the above helps you nevertheless ;-) and if you need more help, feel free to ask. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c3 --- Comment #3 from Christian Boltz --- (In reply to Michael Hirmke from comment #2)

So I ran aa-logprof and got a new profile for usr.lib.dovecot.script-login, not for /usr/local/bin/dovecot-postlogin.sh. Did you mix up the two?

Indeed - I focused too much on what you wrote, and not enough on reading the audit.log message ;-) This also somewhat changes my opinion to mark this as wontfix - it might become a "partial fix". Executing /usr/lib/dovecot/script-login from dovecot {c,sh}ould be allowed in the profile, but the profile for script-login will obviously have to stay incomplete because everybody will run a different script. So - if you have created separate profiles for /usr/lib/dovecot/script-login and your actual post-login script, I'd be interested to see them.

Besides that, running aa-complain wasn't necessary, aa-logprof already has set the flag.

Nevertheless, you should switch the profile to enforce mode.

Thx for pointing me into the right direction!

You are welcome ;-) -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c5 --- Comment #5 from Christian Boltz --- (In reply to Michael Hirmke from comment #4)

I get an error message from the dovecot master process "master: Error: serivce(lmtp): kill(<pid>, SIGINT) failed: Operation not permitted" This happens, when the lmtp service should be killed after idle timeout. There seems to be no entry in the audit.log for this error. Isn't this an error caused by apparmor, then?

It could be caused by AppArmor (maybe a missing "signal" rule), but in that case you should see an audit.log entry for it. (Looking at the profiles, sending a signal from /usr/sbin/dovecot to lmtp should already be allowed.) -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c7 --- Comment #7 from Michael Hirmke --- This will hopefully be the last comment for this case: Obviously I messed up apparmor completely. So I removed apparmor.d and reinstalled all apparmor packages from scratch. Besides for dovecot I never modified any apparmor profile. Having done that, dovecot started to complain again for some actions. So I reran aa-logprof and got the modification/new profiles shown in the attachements. I hope, they will be helpful. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c9 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX |--- --- Comment #9 from Christian Boltz --- Thanks for the updated profiles! Let me summarize your changes: usr.sbin.dovecot: + /usr/lib/dovecot/script-login Px, Makes sense. usr.lib.dovecot.managesieve: - network inet6 stream, - network inet stream, + #include abstractions/nameservice allows a lot, do you remember why it was proposed? (If you still have the audit.log, grep for "managesieve" and attach the result.) usr.lib.dovecot.script-login: That's the profile you created, unfortunately in a way that won't be accepted upstream. The problem is /home/vmware/forest-hirmke.de/msex/vmail/bin/postlogin.sh mrix, which means several things your postlogin.sh script does went into the script-login profile. Can you please re-create the script-login profile from scratch, but with a separate profile (Px) for postlogin.sh? That should also move most permissions out of the script-login profile. Or provide your audit.log and let me do it ;-) usr.bin.cut usr.bin.echo usr.bin.pwd I'd recommend not to have standalone profiles for these helpers - better create a child profile (Cx) or use inherit (ix). At least for "cut", having a standalone profile might cause trouble when another script uses cut with a filename as parameter - your profile doesn't allow to read any files. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c11 --- Comment #11 from Michael Hirmke --- Created attachment 832729 --> http://bugzilla.opensuse.org/attachment.cgi?id=832729&action=edit grep managesieve audit.log -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c13 --- Comment #13 from Michael Hirmke --- Created attachment 832784 --> http://bugzilla.opensuse.org/attachment.cgi?id=832784&action=edit apparmor profiles for dovecot Ok, I followed your advice and got the profiles listed in the attachement. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166007 http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c15 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |IN_PROGRESS OS|openSUSE Factory |All --- Comment #15 from Christian Boltz --- Thanks, and sorry for the late response. I submitted the script-login profile upstream with some changes: dropped rules: #include # probably only needed by your script #include # too much, replaced by # capability setuid /bin/bash mr, # probably only needed by your script /home/vmail/bin/postlogin.sh Px, # needs to go into local/ /proc/filesystems r, # part of abstractions/base added rules: capability setuid, #include Note that you'll need to allow the execution of your script (there's no good upstreeam default path, therefore I didn't include a rule for it). The best way is to do this in local/usr.lib.dovecot.script-login, in your case with /home/vmail/bin/postlogin.sh Px, Upstream merge request: https://gitlab.com/apparmor/apparmor/-/merge_requests/635 Note that the upstreamed profile will need a few changes for usage with AppArmor 2.13.x. (Loading the profile should work, but the 2.13 aa-* tools won't like "include if exists".) -- You are receiving this mail because: You are on the CC list for the bug.