http://bugzilla.opensuse.org/show_bug.cgi?id=1087753
http://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c12
--- Comment #12 from Shad Sterling
(In reply to Shad Sterling from comment #6)
Actually, that last comment is completely wrong; it seemed to be working at first, but actually was not. After spending a few hours iterating on `/var/log/audit/audit.log` and editing several files in `/etc/apparmor.d/local`, it seems to be back to working.
In `usr.lib.dovecot.config`:
/var/lib/dovecot/ssl-parameters.dat r, capability dac_read_search,
I'm slightly surprised about these two - can you please paste the relevant audit.log lines?
`grep usr.lib.dovecot.config /var/log/audit/audit.log* | tail`:
/var/log/audit/audit.log.4:type=AVC msg=audit(1523334722.592:204589): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523334782.682:204638): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523334842.780:204690): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523334902.866:204741): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523334962.916:204792): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523335022.966:204842): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523335084.008:204893): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523335144.090:204943): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523335204.208:204996): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 /var/log/audit/audit.log.4:type=AVC msg=audit(1523335264.250:205048): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
`grep dac_read_search /var/log/audit/audit.log* | tail`:
/var/log/audit/audit.log.3:type=AVC msg=audit(1523372677.043:240323): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config" pid=29574 comm="config" capability=2 capname="dac_read_search" /var/log/audit/audit.log.3:type=AVC msg=audit(1523373414.162:241172): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config" pid=31468 comm="config" capability=2 capname="dac_read_search" /var/log/audit/audit.log.3:type=AVC msg=audit(1523373805.425:241689): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config" pid=400 comm="config" capability=2 capname="dac_read_search" /var/log/audit/audit.log.4:type=AVC msg=audit(1523316897.764:190139): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config" pid=21775 comm="config" capability=2 capname="dac_read_search"
/var/log/dovecot w,
In `usr.lib.dovecot.log`:
/var/log/dovecot w,
Please try with "a" instead of "w" (in both profiles that need to write the logfile), see below for details.
You really think I spent hours on this and didn't try that? It doesn't work. Omitting `/var/log/dovecot` results in a deny for "ac". Specifying "a" results in a deny for "c". Specifying "ac" is a malformed profile. If there's any documentation about it, it's hard to find. There are posts where people report on this, but none I found explained it. I decided to stop short of reading the code that implements it. It doesn't matter if the file must actually be created, it's enough that the process open it with create access.
The `w` permission is needed for logs because apparmor denies `ac` and as far as I can tell there's no way to allow `open`s with `c`. I couldn't find any indication that there exists documentation with a list of open permissions, so there may be another way to allow "create and append" other than `w`.
'c' in the audit.log means "create". There is no exact match in the profile permissions to only allow "create", but both "a" and "w" include "create". So if you are lucky, using "a" in the profile is enough (and would be a major improvement because it blocks changes to existing log content).
The inability to permit an operation that can be denied is a bug in apparmor.
So basically this recent apparmor update totally clobbers dovecot's ability to function.
Actually it's the other way round - dovecot was updated, and nobody told me that it needs AppArmor profile updates :-( (no blaming intended ;-) - and in the end, the important thing is to get it working again.)
My dovecot config is based on the defaults when I first configured it, which I thought was more than a decade ago but I can only confirm it back to 2012; my dovecot logfile has not changed in at least six years and it just stopped working with this update. Comments with instructions to "migrate from old ssl-parameters.dat" made it into my `/etc/dovecot/conf.d/10-ssl.conf` with this update; use of that file does not appear to be new (if anything it's recently deprecated). "stats" does not appear anywhere in `/etc/dovecot` and hasn't for more than a year, so any change in that doesn't appear to be configurable. It looks like an update to the apparmor profile for dovecot broke any old configurations like mine. Why isn't the apparmor profile for dovecot part of the dovecot package? -- You are receiving this mail because: You are on the CC list for the bug.