[pkg-apparmor] Bug#953268: apparmor-profiles: fails to copy usr.lib.dovecot.stats leading to "profile transition not found"
peter at peternowee.com
peter at peternowee.com
Fri Mar 6 19:37:18 GMT 2020
Package: apparmor-profiles
Version: 2.13.2-10
Severity: normal
Dear Maintainer,
After enforcing the Dovecot profiles, messages like the following
appear in syslog:
Mar 2 21:29:32 zhouzhou systemd[1]: Started Dovecot IMAP/POP3 email server.
Mar 2 21:29:33 zhouzhou dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for pop3 (core dumps disabled)
Mar 2 21:29:36 zhouzhou kernel: [691833.564510] audit: type=1400 audit(1583184576.621:871): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13
profile="dovecot" name="/usr/lib/dovecot/stats" pid=5642 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/dovecot/stats"
Mar 2 21:29:36 zhouzhou dovecot: master: Fatal: execv(/usr/lib/dovecot/stats) failed: Permission denied
Mar 2 21:29:36 zhouzhou dovecot: master: Error: service(stats): command startup failed, throttling for 2 secs
Mar 2 21:29:36 zhouzhou dovecot: stats: Fatal: master: service(stats): child 5642 returned error 84 (exec() failed)
Mar 2 21:29:38 zhouzhou kernel: [691835.581584] audit: type=1400 audit(1583184578.641:872): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13
profile="dovecot" name="/usr/lib/dovecot/stats" pid=5644 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/dovecot/stats"
Mar 2 21:29:38 zhouzhou dovecot: master: Fatal: execv(/usr/lib/dovecot/stats) failed: Permission denied
Mar 2 21:29:38 zhouzhou dovecot: master: Error: service(stats): command startup failed, throttling for 4 secs
Mar 2 21:29:38 zhouzhou dovecot: stats: Fatal: master: service(stats): child 5644 returned error 84 (exec() failed)
It seems this is caused by a missing profile file:
/etc/apparmor.d/usr.lib.dovecot.stats
which I should normally be able to copy from:
/usr/share/apparmor/extra-profiles/usr.lib.dovecot.stats
but that file is missing as well.
The profile was introduced in upstream commit 36bdd6ea of 2018-04-13
and has been included in the source of the Debian package since version
2.13:
https://salsa.debian.org/apparmor-team/apparmor/-/commit/36bdd6ea7011455f94106e6ea6d4aad626863815
However, during package installation, the profile file does not get
installed together with the other Dovecot profiles, probably because it
has not been added to the package installation scripts yet:
https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/release-2.13.2-10/debian/apparmor-profiles.maintscript
https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/release-2.13.2-10/debian/apparmor-profiles.install
https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/release-2.13.2-10/debian/copyright
This is also the case in current master on salsa.debian.org.
Because the necessary fix is obvious and I lack the time and specific
knowledge about this package for extensive testing of the change, I do
not provide a patch with this bug report. Feel free to ask, though, if
needed and I will see what I can do.
As a workaround, current users can download the file from:
https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/release-2.13.2-10/profiles/apparmor.d/usr.lib.dovecot.stats
to:
/usr/share/apparmor/extra-profiles/usr.lib.dovecot.stats
and then copy it to:
/etc/apparmor.d/usr.lib.dovecot.stats
A restart or reload of apparmor and dovecot may be necessary.
Thanks, best regards,
Peter Nowee
-- System Information:
Debian Release: 10.3
Versions of packages apparmor-profiles depends on:
ii apparmor 2.13.2-10
More information about the pkg-apparmor-team
mailing list