-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, When I installed 10.1 I had to add some rules to apparmour or postfix mail delivery with amavis would fail: Jul 5 13:03:05 nimrodel postfix/smtpd[5615]: fatal: open lock file pid/inet.localhost:10025: cannot open file: Operation not permit Jul 5 13:03:06 nimrodel postfix/master[22973]: warning: process /usr/lib/postfix/smtpd pid 5615 exit status 1 Jul 5 13:10:35 nimrodel postfix/master[5908]: warning: /usr/lib/postfix/lmtp: bad command startup -- throttling Jul 5 13:11:35 nimrodel master[5985]: fatal: master_spawn: exec /usr/lib/postfix/lmtp: Operation not permitted These are my modifications I did then: /etc/apparmor.d/usr.lib.postfix.qmgr: /{var/spool/postfix/,}private/smtp-amavis w, /{var/spool/postfix/,}public/flush w, /etc/apparmor.d/usr.lib.postfix.smtpd: /{var/spool/postfix,}/pid/inet.localhost rw, /{var/spool/postfix,}/pid/inet.localhost:10025 rw, /etc/apparmor.d/usr.lib.postfix.master: /usr/lib/postfix/lmtp px, I don't know if the correcto procedure is to modify those files directly, but that's what I did and it works. Now, I have another problem. Today I had some hundred emails being downloaded, and the command mailq took a long time before failing to complete. I saw this log entry: Jul 21 20:00:46 nimrodel postfix/showq[18412]: fatal: open incoming 564677F01D: Operation not permitted Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: process /usr/lib/postfix/showq pid 18412 exit status 1 Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: /usr/lib/postfix/showq: bad command startup -- throttling Then I looked at /var/log/audit/audit.log, and sure, there was a problem: type=APPARMOR msg=audit(1153504846.751:1344): REJECTING r access to /var/spool/postfix/incoming/564677F01D (showq(18412) profile /usr/lib/postfix/showq active /usr/lib/postfix/showq) So I go to /etc/apparmor.d/usr.lib.postfix.showq, and see this: /{var/spool/postfix/,}incoming r, /{var/spool/postfix/,}incoming/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]* r, /{var/spool/postfix/,}incoming/[0-0A-F]* r, Now, the question: Should the last line be: /{var/spool/postfix/,}incoming/[0-9A-F]* r, ? Notice that it is very dificult for me to test this: not till I get another mail with certain ID will it work or fail. Is this a bug? Should all those modifications be included by SuSE in a patch? Or perhaps this is more an appropiate question for the security list? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEwTVBtTMYHG2NR9URAoEfAJ9x02bcbobHJEqbQnD0u1ejCE4axwCfVY+k Ssb4CLhfsC2mRrDDXPHDZgw= =XVye -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Carlos E. R. wrote:
Now, the question: Should the last line be:
/{var/spool/postfix/,}incoming/[0-9A-F]* r,
?
Notice that it is very dificult for me to test this: not till I get another mail with certain ID will it work or fail.
Is this a bug? Should all those modifications be included by SuSE in a patch?
Can't answer your exact question Carlos, but I found if AppArmor blocked postfix, it was easy to update it via Novell AppArmor>Update Profile Wizard. HTH -- Joe Morris Registered Linux user 231871 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Carlos E. R. wrote:
I don't know if the correcto procedure is to modify those files directly,
aa-genprof I believe. That's what I've been using.
Is this a bug? Should all those modifications be included by SuSE in a patch?
Given that you're looking at a standard/default postfix directory with a bad apparmour profile, I think it's a bug. /Per Jessen, Zürich -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2006-07-22 at 09:58 +0200, Per Jessen wrote:
aa-genprof I believe. That's what I've been using.
I'll have to rtfm O:-)
Is this a bug? Should all those modifications be included by SuSE in a patch?
Given that you're looking at a standard/default postfix directory with a bad apparmour profile, I think it's a bug.
I'll post it to security list, so that the maintainer sees it. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEwhcLtTMYHG2NR9URAq0GAKCA/lmvhdlrvEHwXENwWhM5H+fmtgCfQeSH 37D8cIml3kKGO7HnqehC/eg= =ySxJ -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Saturday 22 July 2006 14:16, Carlos E. R. wrote:
I'll post it to security list, so that the maintainer sees it.
Bad logic. If you find a bug, mailing list postings isn't the place for it, bugzilla.novell.com is -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (4)
-
Anders Johansson
-
Carlos E. R.
-
Joe Morris (NTM)
-
Per Jessen