[pkg-apparmor] Bug#969114: apparmor-profiles: usr.sbin.dovecot does not allow reading /usr/share/dovecot/dh.pem (dovecot fails to start)
Vincas Dargis
vindrg at gmail.com
Sun Oct 25 17:07:32 GMT 2020
I think it's for upstream. There's more rules to add too. I'll try to work on that.
On 2020-10-24 16:05, intrigeri wrote:
> Hi Vincas!
>
> Vincas Dargis (2020-08-27):
>> This is produced if usr.sbin.dovecot is copied to /etc/apparmor.d:
>>
>> ```
>> type=AVC msg=audit(1598556536.092:901): apparmor="DENIED" operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem" pid=12625 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> ```
>>
>> This results in dovecot failing to start:
>>
>> ```
>> Aug 27 22:31:47 systemd[1]: Started Dovecot IMAP/POP3 email server.
>> Aug 27 22:31:47 dovecot[13693]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file /usr/share/dove
>> Aug 27 22:31:47 systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a
>> Aug 27 22:31:47 systemd[1]: dovecot.service: Failed with result 'exit-code'.
>> ```
>>
>> It is fixed by adding single rule:
>>
>> ```
>> /usr/share/dovecot/dh.pem r,
>> ```
>
> Do you think it's too Debian-specific to fix upstream?
>
> Cheers!
>
More information about the pkg-apparmor-team
mailing list