Mailinglist Archive: opensuse-bugs (6221 mails)

< Previous Next >
[Bug 1087753] Dovecot fails to start, complaining "Can't open log file /var/log/dovecot.log: Permission denied"
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Thu, 12 Apr 2018 04:05:13 +0000
  • Message-id: <bug-1087753-21960-AL0Xaed0F9@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1087753
http://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c12

--- Comment #12 from Shad Sterling <me@xxxxxxxxxxxxxxxx> ---
(In reply to Christian Boltz from comment #7)
(In reply to Shad Sterling from comment #6)
Actually, that last comment is completely wrong; it seemed to be working at
first, but actually was not. After spending a few hours iterating on
`/var/log/audit/audit.log` and editing several files in
`/etc/apparmor.d/local`, it seems to be back to working.

In `usr.lib.dovecot.config`:

/var/lib/dovecot/ssl-parameters.dat r,
capability dac_read_search,

I'm slightly surprised about these two - can you please paste the relevant
audit.log lines?

`grep usr.lib.dovecot.config /var/log/audit/audit.log* | tail`:
/var/log/audit/audit.log.4:type=AVC msg=audit(1523334722.592:204589):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523334782.682:204638):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523334842.780:204690):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523334902.866:204741):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523334962.916:204792):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523335022.966:204842):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523335084.008:204893):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523335144.090:204943):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523335204.208:204996):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/audit/audit.log.4:type=AVC msg=audit(1523335264.250:205048):
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config"
name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

`grep dac_read_search /var/log/audit/audit.log* | tail`:
/var/log/audit/audit.log.3:type=AVC msg=audit(1523372677.043:240323):
apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config"
pid=29574 comm="config" capability=2 capname="dac_read_search"
/var/log/audit/audit.log.3:type=AVC msg=audit(1523373414.162:241172):
apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config"
pid=31468 comm="config" capability=2 capname="dac_read_search"
/var/log/audit/audit.log.3:type=AVC msg=audit(1523373805.425:241689):
apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config"
pid=400 comm="config" capability=2 capname="dac_read_search"
/var/log/audit/audit.log.4:type=AVC msg=audit(1523316897.764:190139):
apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config"
pid=21775 comm="config" capability=2 capname="dac_read_search"

/var/log/dovecot w,

In `usr.lib.dovecot.log`:

/var/log/dovecot w,

Please try with "a" instead of "w" (in both profiles that need to write the
logfile), see below for details.

You really think I spent hours on this and didn't try that?
It doesn't work.
Omitting `/var/log/dovecot` results in a deny for "ac". Specifying "a" results
in a deny for "c". Specifying "ac" is a malformed profile.
If there's any documentation about it, it's hard to find. There are posts
where people report on this, but none I found explained it.
I decided to stop short of reading the code that implements it.
It doesn't matter if the file must actually be created, it's enough that the
process open it with create access.

The `w` permission is needed for logs because apparmor denies `ac` and as
far as I can tell there's no way to allow `open`s with `c`. I couldn't find
any indication that there exists documentation with a list of open
permissions, so there may be another way to allow "create and append" other
than `w`.

'c' in the audit.log means "create". There is no exact match in the profile
permissions to only allow "create", but both "a" and "w" include "create".
So if you are lucky, using "a" in the profile is enough (and would be a
major improvement because it blocks changes to existing log content).

The inability to permit an operation that can be denied is a bug in apparmor.

So basically this recent apparmor update totally clobbers dovecot's ability
to function.

Actually it's the other way round - dovecot was updated, and nobody told me
that it needs AppArmor profile updates :-( (no blaming intended ;-) - and
in the end, the important thing is to get it working again.)

My dovecot config is based on the defaults when I first configured it, which I
thought was more than a decade ago but I can only confirm it back to 2012; my
dovecot logfile has not changed in at least six years and it just stopped
working with this update.

Comments with instructions to "migrate from old ssl-parameters.dat" made it
into my `/etc/dovecot/conf.d/10-ssl.conf` with this update; use of that file
does not appear to be new (if anything it's recently deprecated).

"stats" does not appear anywhere in `/etc/dovecot` and hasn't for more than a
year, so any change in that doesn't appear to be configurable.

It looks like an update to the apparmor profile for dovecot broke any old
configurations like mine.

Why isn't the apparmor profile for dovecot part of the dovecot package?

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
References