[Pkg-giraffe-maintainers] Bug#907400: kopano-server: Kopano server apparmor issues

Teun Kloosterman teunkloosterman at gmail.com
Mon Aug 27 15:58:28 BST 2018 

Package: kopano-server
Version: 8.6.5-1
Severity: important

Dear Maintainer,

When trying out kopano server, I saw errors for the following files in syslog.
Adding the following lines to /etc/apparmor.d/usr.sbin.kopano-server made it work:

  /etc/kopano/ldap.cfg r,
  /etc/kopano/ldap.openldap.cfg r,
  /etc/kopano/ldap.propmap.cfg r,
  /etc/ldap/ldap.conf r,
  /etc/ssl/openssl.cnf r,

Regards,
 Teun

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: arm64 (aarch64)

Kernel: Linux 4.15.11-mainline-rev1 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages kopano-server depends on:
ii  dbconfig-common                             2.0.9
ii  debconf [debconf-2.0]                       1.5.69
ii  kopano-common                               8.6.5-1
ii  kopano-libs                                 8.6.5-1
ii  libc6                                       2.27-5
ii  libcom-err2                                 1.44.4-2
ii  libgcc1                                     1:8.2.0-4
ii  libgsoap-2.8.60                             2.8.60-2
ii  libgssapi-krb5-2                            1.16-2
ii  libicu60                                    60.2-6
ii  libk5crypto3                                1.16-2
ii  libkrb5-3                                   1.16-2
ii  libldap-2.4-2                               2.4.46+dfsg-5
ii  libmariadbclient18                          1:10.1.35-1
ii  libpam0g                                    1.1.8-3.8
ii  libssl1.1                                   1.1.1~~pre9-1
ii  libstdc++6                                  8.2.0-4
ii  libuuid1                                    2.32.1-0.1
ii  lsb-base                                    9.20170808
ii  mariadb-client-10.1 [virtual-mysql-client]  1:10.1.35-1
ii  zlib1g                                      1:1.2.11.dfsg-1

Versions of packages kopano-server recommends:
ii  mariadb-server  1:10.1.35-1

kopano-server suggests no packages.

-- Configuration Files:
/etc/apparmor.d/usr.sbin.kopano-server changed:
/usr/sbin/kopano-server flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability setgid,
  capability setuid,
  network tcp,
  /etc/kopano/debian-db.cfg r,
  /etc/kopano/server.cfg r,
  /etc/kopano/ldap.cfg r,
  /etc/kopano/ldap.openldap.cfg r,
  /etc/kopano/ldap.propmap.cfg r,
  /etc/ldap/ldap.conf r,
  /etc/ssl/openssl.cnf r,
  /usr/sbin/kopano-server r,
  @{PROC}/@{pid}/task/@{tid}/comm rw,
  /run/kopano/prio.sock rw,
  /run/kopano/server.pid rw,
  /run/kopano/server.sock rw,
  /usr/lib/@{multiarch}/kopano/*.so m,
  /var/lib/kopano/attachments/ r,
  /var/lib/kopano/attachments/** rw,
  /var/log/kopano/server.log rw,
  /etc/kopano/userscripts/* Cxr -> kopano_userscripts,
  # New features in 8.5.2 need this, and read-only on those is safe
  @{PROC}/sys/kernel/core_pattern r,
  @{PROC}/sys/fs/suid_dumpable r,
  # There's little we can do if the server is allowed to run
  # arbitrary scripts
  profile kopano_userscripts flags=(attach_disconnected) {
    file,
    network,
  }
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.kopano-server>
}

/etc/kopano/server.cfg changed:
server_listen = *:236
server_pipe_name = /var/run/kopano/server.sock
allow_local_users = yes
local_admin_users = root kopano
run_as_user = kopano
run_as_group = kopano
log_method = file
log_file = /var/log/kopano/server.log
log_level = 6
log_timestamp = yes
attachment_storage = files
attachment_files_fsync = yes
attachment_path = /var/lib/kopano/attachments
attachment_compression = 6
user_plugin = db
user_plugin_config = /etc/kopano/ldap.cfg
createuser_script = /etc/kopano/userscripts/createuser
deleteuser_script = /etc/kopano/userscripts/deleteuser
creategroup_script = /etc/kopano/userscripts/creategroup
deletegroup_script = /etc/kopano/userscripts/deletegroup
createcompany_script = /etc/kopano/userscripts/createcompany
deletecompany_script = /etc/kopano/userscripts/deletecompany
user_safe_mode = yes
enable_hosted_kopano = true
storename_format = %c/%u 
loginname_format = %u@%c
!include debian-db.cfg


-- debconf information:
  kopano-server/app-password-confirm: (password omitted)
  kopano-server/mysql/admin-pass: (password omitted)
  kopano-server/password-confirm: (password omitted)
  kopano-server/mysql/app-pass: (password omitted)
  kopano-server/remove-error: abort
  kopano-server/upgrade-error: abort
  kopano-server/internal/skip-preseed: false
  kopano-server/missing-db-package-error: abort
  kopano-server/purge: false
  kopano-server/upgrade-backup: true
  kopano-server/dbconfig-remove: true
  kopano-server/mysql/method: Unix socket
  kopano-server/remote/newhost:
  kopano-server/db/dbname: kopanoserver
  kopano-server/passwords-do-not-match:
  kopano-server/remote/host: localhost
  kopano-server/database-type: mysql
  kopano-server/install-error: abort
* kopano-server/mysql/admin-user: root
  kopano-server/remote/port:
* kopano-server/dbconfig-install: true
  kopano-server/dbconfig-upgrade: true
  kopano-server/db/app-user: kopano-server at localhost
  kopano-server/dbconfig-reinstall: false
  kopano-server/internal/reconfiguring: false

More information about the Pkg-giraffe-maintainers mailing list