[pkg-apparmor] Bug#768357: Bug#768357: Dovecot: Installing apparmor completely breaks dovecot as profiles do not match dovecot processes.

Barry Pearce barryspearce at hotmail.com
Thu Nov 6 21:11:21 UTC 2014 



Hi,
The grep for DEN produced nothing. 
To get dovecot running I have to strip out all of the profiles relating to it from apparmor.d and reboot then dovecot runs. After restoring the profiles and restarting  /var/log/syslog has the following relating to this:
Nov  6 20:54:35 sapient dovecot[10214]: Starting IMAP/POP3 mail server: dovecot.Nov  6 20:54:35 sapient dovecot: master: Dovecot v2.2.13 starting up for imap (core dumps disabled)Nov  6 20:54:35 sapient dovecot: master: Fatal: execv(/usr/lib/dovecot/log) failed: No such file or directoryNov  6 20:54:35 sapient dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secsNov  6 20:54:35 sapient dovecot: master: Error: service(log): child 10221 returned error 84 (exec() failed)Nov  6 20:54:35 sapient dovecot: master: Error: service(log): command startup failed, throttling for 2 secsNov  6 20:54:35 sapient dovecot: master: Error: service(ssl-params): command startup failed, throttling for 2 secsNov  6 20:54:35 sapient kernel: [42231.270063] audit_printk_skb: 126 callbacks suppressedNov  6 20:54:35 sapient kernel: [42231.270065] audit: type=1400 audit(1415307275.701:98): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/anvil" pid=10220 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0Nov  6 20:54:35 sapient kernel: [42231.270125] audit: type=1400 audit(1415307275.701:99): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/log" pid=10221 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0Nov  6 20:54:35 sapient kernel: [42231.270179] audit: type=1400 audit(1415307275.701:100): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/ssl-params" pid=10222 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
A ps -ef | dovecot with profiles in place produces this:
root     10219     1  0 20:54 ?        00:00:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
The same without the profiles produces:
root      1799     1  0 21:04 ?        00:00:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.confdovecot   1800  1799  0 21:04 ?        00:00:00 dovecot/anvilroot      1801  1799  0 21:04 ?        00:00:00 dovecot/logroot      1803  1799  0 21:04 ?        00:00:00 dovecot/config
Should dovecot/anvil and dovecot/log also have profiles? 

The (system installed) apparmor profile for  dovecot is:
# ------------------------------------------------------------------##    Copyright (C) 2009-2013 Canonical Ltd.#    Copyright (C) 2011-2013 Christian Boltz##    This program is free software; you can redistribute it and/or#    modify it under the terms of version 2 of the GNU General Public#    License published by the Free Software Foundation.## ------------------------------------------------------------------# vim: ft=apparmor
#include <tunables/global>
/usr/sbin/dovecot flags=(complain) {  #include <abstractions/authentication>  #include <abstractions/base>  #include <abstractions/mysql>  #include <abstractions/nameservice>  #include <abstractions/ssl_certs>  #include <abstractions/ssl_keys>
  capability chown,  capability dac_override,  capability fsetid,  capability kill,  capability net_bind_service,  capability setgid,  capability setuid,  capability sys_chroot,
  /etc/dovecot/** r,  /etc/mtab r,  /etc/lsb-release r,  /etc/SuSE-release r,  @{PROC}/@{pid}/mounts r,  @{PROC}/filesystems r,  /usr/bin/doveconf rix,  /usr/lib/dovecot/anvil Px,  /usr/lib/dovecot/auth Px,  /usr/lib/dovecot/config Px,  /usr/lib/dovecot/dict Px,  /usr/lib/dovecot/dovecot-auth Pxmr,  /usr/lib/dovecot/imap Pxmr,  /usr/lib/dovecot/imap-login Pxmr,  /usr/lib/dovecot/lmtp Px,  /usr/lib/dovecot/log Px,  /usr/lib/dovecot/managesieve Px,  /usr/lib/dovecot/managesieve-login Pxmr,  /usr/lib/dovecot/pop3 Px,  /usr/lib/dovecot/pop3-login Pxmr,  /usr/lib/dovecot/ssl-build-param rix,  /usr/lib/dovecot/ssl-params Px,  /usr/sbin/dovecot mrix,  /usr/share/dovecot/protocols.d/   r,  /usr/share/dovecot/protocols.d/** r,  /var/lib/dovecot/ w,  /var/lib/dovecot/* rwkl,  /var/spool/postfix/private/auth w,  /var/spool/postfix/private/dovecot-lmtp w,  /{,var/}run/dovecot/ rw,  /{,var/}run/dovecot/** rw,  link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
  # Site-specific additions and overrides. See local/README for details.  #include <local/usr.sbin.dovecot>}
Im a developer myself so happy to help with as much info as required.

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20141106/c062eb7a/attachment.html>

More information about the pkg-apparmor-team mailing list