Mailinglist Archive: opensuse-bugs (6221 mails)

< Previous Next >
[Bug 1087753] Dovecot fails to start, complaining "Can't open log file /var/log/dovecot.log: Permission denied"
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Tue, 10 Apr 2018 21:57:35 +0000
  • Message-id: <bug-1087753-21960-dGjOyQAiJ0@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1087753
http://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c7

--- Comment #7 from Christian Boltz <suse-beta@xxxxxxxxx> ---
(In reply to Shad Sterling from comment #6)
Actually, that last comment is completely wrong; it seemed to be working at
first, but actually was not. After spending a few hours iterating on
`/var/log/audit/audit.log` and editing several files in
`/etc/apparmor.d/local`, it seems to be back to working.

In `usr.lib.dovecot.config`:

/var/lib/dovecot/ssl-parameters.dat r,
capability dac_read_search,

I'm slightly surprised about these two - can you please paste the relevant
audit.log lines?

In `usr.lib.dovecot.auth`:

/run/dovecot/old-stats-user w,

In `usr.sbin.dovecot`:

/usr/lib/dovecot/stats ix,

Please make that Px, and grab the dovecot/stats profile from bug 1088161 ;-)

/var/log/dovecot w,

In `usr.lib.dovecot.log`:

/var/log/dovecot w,

Please try with "a" instead of "w" (in both profiles that need to write the
logfile), see below for details.


The `w` permission is needed for logs because apparmor denies `ac` and as
far as I can tell there's no way to allow `open`s with `c`. I couldn't find
any indication that there exists documentation with a list of open
permissions, so there may be another way to allow "create and append" other
than `w`.

'c' in the audit.log means "create". There is no exact match in the profile
permissions to only allow "create", but both "a" and "w" include "create". So
if you are lucky, using "a" in the profile is enough (and would be a major
improvement because it blocks changes to existing log content).

I used the `ix` permission for stats rather than `Px` because there is no
`apparmor.d/user.lib.dovecot.stats` to include corresponding file in
`/etc/apparmor.d/local`, and I thought it better to confine my edits to
local.

See above ;-) (there's no local/ sniplet for the dovecot/stats profile yet,
but I'll of course add it when I package the profile)

So basically this recent apparmor update totally clobbers dovecot's ability
to function.

Actually it's the other way round - dovecot was updated, and nobody told me
that it needs AppArmor profile updates :-( (no blaming intended ;-) - and in
the end, the important thing is to get it working again.)

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
References