[pkg-apparmor] Bug#969114: apparmor-profiles: usr.sbin.dovecot does not allow reading /usr/share/dovecot/dh.pem (dovecot fails to start)

Vincas Dargis vindrg at gmail.com
Thu Aug 27 20:43:30 BST 2020 

Package: apparmor-profiles
Version: 2.13.2-10
Severity: normal
Tags: upstream

Dear Maintainer,

This is produced if usr.sbin.dovecot is copied to /etc/apparmor.d:

```
type=AVC msg=audit(1598556536.092:901): apparmor="DENIED" operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem" pid=12625 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```

This results in dovecot failing to start:

```
Aug 27 22:31:47 systemd[1]: Started Dovecot IMAP/POP3 email server.
Aug 27 22:31:47 dovecot[13693]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file /usr/share/dove
Aug 27 22:31:47 systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a
Aug 27 22:31:47 systemd[1]: dovecot.service: Failed with result 'exit-code'.
```

It is fixed by adding single rule:

```
/usr/share/dovecot/dh.pem r,
```


-- System Information:
Debian Release: 10.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: armhf (armv7l)

Kernel: Linux 4.19.0-10-armmp-lpae (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor-profiles depends on:
ii  apparmor  2.13.2-10

apparmor-profiles recommends no packages.

apparmor-profiles suggests no packages.

-- Configuration Files:
/etc/apparmor.d/bin.ping changed [not included]
/etc/apparmor.d/sbin.klogd changed [not included]
/etc/apparmor.d/sbin.syslog-ng changed [not included]
/etc/apparmor.d/sbin.syslogd changed [not included]
/etc/apparmor.d/usr.sbin.avahi-daemon changed [not included]
/etc/apparmor.d/usr.sbin.dnsmasq changed [not included]
/etc/apparmor.d/usr.sbin.identd changed [not included]
/etc/apparmor.d/usr.sbin.mdnsd changed [not included]
/etc/apparmor.d/usr.sbin.nmbd changed [not included]
/etc/apparmor.d/usr.sbin.nscd changed [not included]
/etc/apparmor.d/usr.sbin.smbd changed [not included]
/etc/apparmor.d/usr.sbin.smbldap-useradd changed [not included]
/etc/apparmor.d/usr.sbin.traceroute changed [not included]

-- no debconf information

More information about the pkg-apparmor-team mailing list