[Bug 1132214] New: AppArmor config for Dovecot package needs to be fixed
http://bugzilla.opensuse.org/show_bug.cgi?id=1132214 Bug ID: 1132214 Summary: AppArmor config for Dovecot package needs to be fixed Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: b631093f-779b-4d67-9ffe-5f6d5b1d3f8a@protonmail.ch QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Someone needs to sit down and review the bundled Dovecot profiles for AppArmor, because at the moment they are distinctly lacking. And no, I don't have the AppArmor expertise necessary. So far after many hours I have found I had to add: /var/spool/postfix/private/dovecot-auth rwk, /var/spool/postfix/private/dovecot-lmtp rwk, To: /etc/apparmor.d/local/usr.lib.dovecot.auth /etc/apparmor.d/local/usr.lib.dovecot.lmtp /etc/apparmor.d/local/usr.sbin.dovecot These should really be included in the default profiles ! And now I have a problem with dsync (e.g. 'doveadm -v -o mail_fsync=never backup -R -u foobar@example.com imapc:') This fails with "dns_lookup(foo.example.com) failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed: Connection reset by peer" But it works fine if I do 'aa-teardown' I have tried adding: /usr/lib/dovecot/dns-client mrPx, /var/run/dovecot/dns-client mrPx, To: /etc/apparmor.d/local/usr.sbin.dovecot But that doesn't work. So please, can someone with some expertise fix this as its completely messed up right now ! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132214 http://bugzilla.opensuse.org/show_bug.cgi?id=1132214#c1 --- Comment #1 from Tim Jones <b631093f-779b-4d67-9ffe-5f6d5b1d3f8a@protonmail.ch> --- P.S. I appreciate you might classify the first part of my complaint as Postfix related. However the second (re. dsync) still counts 100% as dovecot. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132214 http://bugzilla.opensuse.org/show_bug.cgi?id=1132214#c2 --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> --- Instead of unloading all profiles, better switch them to complain mode: aa-complain /etc/apparmor.d/*dovecot* Complain mode will allow everything, and log what would be denied. (If the profiles weren't loaded before, restart dovecot.) Then use dovecot for a while, and attach your /var/log/audit/audit.log. (In reply to Tim Jones from comment #0)
Someone needs to sit down and review the bundled Dovecot profiles for AppArmor, because at the moment they are distinctly lacking. And no, I don't have the AppArmor expertise necessary.
So far after many hours I have found I had to add:
/var/spool/postfix/private/dovecot-auth rwk, /var/spool/postfix/private/dovecot-lmtp rwk,
To:
/etc/apparmor.d/local/usr.lib.dovecot.auth /etc/apparmor.d/local/usr.lib.dovecot.lmtp /etc/apparmor.d/local/usr.sbin.dovecot
I'm not sure if you need to add these rules to all 3 profiles. Do you still have the audit.log events for that? (If not, just remove the lines you added and run "rcapparmor reload" to reload the profiles - as long as they are in complain mode, nothing will be blocked.)
I have tried adding: /usr/lib/dovecot/dns-client mrPx, /var/run/dovecot/dns-client mrPx, To: /etc/apparmor.d/local/usr.sbin.dovecot
But that doesn't work.
"Px" means executing a binary under a separate profile, but there's no profile for dns-client (yet). Therefore AppArmor will stop the execution of dns-client. (BTW, the rule for /var/run/dovecot/dns-client looks completely strange - /var/run/ shouldn't contain executables.) Basically the same advise as above applies here - put the profiles into complain mode, ideally remove the rules you added during testing and attach your audit.log. As a sidenote: If you are interested, I can also teach you how you can update the profiles yourself (it's not really hard ;-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132214 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |b631093f-779b-4d67-9ffe-5f6 | |d5b1d3f8a@protonmail.ch Flags| |needinfo?(b631093f-779b-4d6 | |7-9ffe-5f6d5b1d3f8a@protonm | |ail.ch) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132214 http://bugzilla.opensuse.org/show_bug.cgi?id=1132214#c3 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |NORESPONSE --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- I'm afraid that I can't update the profiles without seeing the logs, so that I know what is really needed. Please reopen once you have the log available or have some time to reproduce and debug the issue. Of course, I'll help you with that if needed. -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com