[pkg-apparmor] Bug#835826: Bug#835826: apparmor-profiles: usr.lib.dovecot.imap issue?

Félix Sipma felix+debian at gueux.org
Mon Aug 29 07:01:08 UTC 2016 

The logs are quite large... Here are the lines (only from the last minute)
without any "//null-*" in the profile name:

Aug 29 08:50:02 laptop kernel: audit_printk_skb: 1218 callbacks suppressed
Aug 29 08:50:07 laptop audit[27369]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27369 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 29 08:50:07 laptop kernel: audit_printk_skb: 1218 callbacks suppressed
Aug 29 08:50:07 laptop kernel: audit: type=1400 audit(1472453407.705:1841571): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27369 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 29 08:50:20 laptop kernel: audit_printk_skb: 5283 callbacks suppressed
Aug 29 08:50:30 laptop kernel: audit_printk_skb: 1218 callbacks suppressed
Aug 29 08:50:33 laptop audit[27535]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27535 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 29 08:50:40 laptop kernel: audit_printk_skb: 5280 callbacks suppressed
Aug 29 08:50:51 laptop kernel: audit_printk_skb: 1218 callbacks suppressed
Aug 29 08:50:58 laptop audit[27574]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27574 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 29 08:50:58 laptop kernel: audit_printk_skb: 1218 callbacks suppressed
Aug 29 08:50:58 laptop kernel: audit: type=1400 audit(1472453458.689:1846360): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27574 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0




On 2016-08-28 20:46+0200, Christian Boltz wrote:
> Hello,
> 
> Am Sonntag, 28. August 2016, 18:49:15 CEST schrieb Félix Sipma:
>> Aug 28 18:42:04 laptop audit[8899]: AVC apparmor="ALLOWED"
>> operation="getattr" profile="/usr/lib/dovecot/imap//null-8b//null-8c"
>> name="/home/user/mail/dovecot.index.log" pid=8899 comm="imap"
>> requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> 
> This (especially the "//null-*" child profiles [1]) means you'll need 
> aditional exec rules.
> 
> To find out what exactly gets executed, can you please post a bigger 
> section of your audit log, or even the full log? I'm especially looking 
> for a line with
>    operation="exec" profile="/usr/lib/dovecot/imap"
> (without any "//null-*" in the profile name)
> 
> Note that there are two exec levels involved, so we might need to add 
> more than one an exec rule. This also means that posting your full audit 
> log (or at least everything dovecot-related after the exec event 
> described above) can avoid an additional round of updating the profile 
> and sending fresh logs ;-)
> 
> Regards,
> 
> Christian Boltz
> 
> [1] null-* are temporary profiles for execs that are not permitted in the 
>    profile yet (and will obviously only be created for profiles in 
>    complain mode - in enforce mode, unknown execs gets denied)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20160829/b517816a/attachment.sig>

More information about the pkg-apparmor-team mailing list