dovecot/apparmor: profile not found

Bug #1296667 reported by Leon on 2014-03-24
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned
Trusty
High
Unassigned

Bug Description

[impact]

This bug prevents dovecot users from using the apparmor policies shipped
in the apparmor-profiles package without significant modifications.

[steps to reproduce]

1) install and setup dovecot and confirm that it's functioning as
   expected
2) install the apparmor-profiles package
3) restart dovecot to ensure apparmor policies are being applied
4) if this bug has been addressed, dovecot should start successfully
   without generating apparmor rejections

[regression potential]

The change in the patch for this bug updates the dovecot policy to
match the most recent apparmor release (2.9.2). These add missing
policies, restructure a few things to common abstractions, and grant
additional permissions. Any regressions related to this patch would
be strictly limited to the policy for dovecot.

[original description]

I'm on Ubuntu 14.04 LTS. Since last week I get these messages:

[11468.257576] type=1400 audit(1395659127.103:38560): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap-login" name="/run/dovecot/config" pid=30971 comm="imap-login" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
[11491.128691] type=1400 audit(1395659149.988:38616): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/auth" pid=30978 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[11551.171186] type=1400 audit(1395659210.056:38853): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/dovecot" pid=31620 comm="dovecot" capability=36 capname="block_suspend"
[11551.171338] type=1400 audit(1395659210.056:38854): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/auth" pid=31630 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

When I then start dovecot I get these in mail.log:

Mar 24 08:42:52 polly dovecot: master: Dovecot v2.2.9 starting up (core dumps disabled)
Mar 24 08:42:52 polly dovecot: master: Fatal: execv(/usr/lib/dovecot/log) failed: No such file or directory
Mar 24 08:42:52 polly dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secs
Mar 24 08:42:52 polly dovecot: master: Error: service(log): child 1387 returned error 84 (exec() failed)
Mar 24 08:42:52 polly dovecot: master: Error: service(log): command startup failed, throttling for 2 secs
Mar 24 08:42:52 polly dovecot: master: Error: service(ssl-params): command startup failed, throttling for 2 secs
Mar 24 08:55:42 polly dovecot: master: Error: service(config): command startup failed, throttling for 2 secs
Mar 24 08:55:42 polly dovecot: master: Error: service(imap-login): command startup failed, throttling for 2 secs

I tried to purge and reinstall apparmor(-profiles) but that didn't fix this issue. I did a aa-disable dovecot and now the errors are gone.

Tom Boucher (trekkie-b) wrote :

I am experiencing this as well on my 14.04 LTS installation.

Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.524945] type=1400 audit(1402265430.441:10760): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap-login" name="/run/dovecot/anvil" pid=16455 comm="imap-login" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.635272] type=1400 audit(1402265430.549:10761): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap" name="/run/dovecot/config" pid=16456 comm="imap" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.635983] type=1400 audit(1402265430.549:10762): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap" name="/run/dovecot/auth-master" pid=16456 comm="imap" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

I have my imap services in 'complain' mode though, so they are not being halted. services continue to run.

tags: added: aa-policy
affects: apparmor-profiles → apparmor
Christian Boltz (cboltz) wrote :

Some of those issues were already fixed in the upstream profiles. For the remaining issues, I just sent patches to the mailinglist for review.

Steve Beattie (sbeattie) wrote :

This will be fixed in wily with apparmor 2.9.2-0ubuntu1. Attached is patch to update the dovecot profiles for a trusty SRU.

description: updated

The attachment "profiles-dovecot-updates-lp1296667.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.2-0ubuntu1

---------------
apparmor (2.9.2-0ubuntu1) wily; urgency=medium

  * Update to apparmor 2.9.2
    - Fix minitools to work with multiple profiles at once (LP: #1378095)
    - Parse mounts that have non-ascii UTF-8 chars (LP: #1310598)
    - Update dovecot profiles (LP: #1296667)
    - Allow ubuntu-helpers to build texlive fonts (LP: #1010909)
  * dropped patches incorporated upstream:
    add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch
    parser-fix_modifier_compilation_+_tests.patch,
    tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch,
    GDM_X_authority-lp1432126.patch, and
    debian/patches/easyprof-framework-policy.patch
  * Partial merge with debian apparmor package:
    - debian/rules: enable the bindnow hardening flag during build.
    - debian/upstream/signing-key.asc: add new upstream public
      signing key
    - debian/watch: fix watch file, add gpg signature checking
    - install libapparmor.so dev symlink under /usr not /lib
    - debian/patches/reproducible-pdf.patch: make techdoc.pdf
      reproducible even in face of timezone variations.
    - debian/control: sync fields
    - debian/debhelper/postrm-apparmor: remove
      /etc/apparmor.d/{disable,} on package purge
    - debian/libapache2-mod-apparmor.postrm: on package purge, delete
      /etc/apparmor.d/{,disable} if empty
    - debian/libapparmor1.symbols: Use Build-Depends-Package in the
      symbols file.
    - debian/copyright: sync

 -- Steve Beattie <email address hidden> Mon, 11 May 2015 22:03:04 -0700

Changed in apparmor (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie) wrote :

Unfortunately, while preparing the fix for this, I did not take into account that the debian/apparmor-profiles.install file needed to be updated to take the additional missing profiles into account. Marking verification-failed.

However, failing to install the additional dovecot profiles does not cause any regressions, it just causes this bug to not be fixed by the version of apparmor in trusty-proposed. Given that apparmor 2.8.95~2430-0ubuntu5.2 in trusty-proposed succeeds in addressing several other issues (see bug 1449769 for a partial list), I'd like to see that version pushed to trusty-updates and then have an additional apparmor update go into trusty-proposed that correctly fixes this bug; I'm attaching the debdiff that would do that.

tags: added: verification-failed
Tyler Hicks (tyhicks) wrote :

I agree with Steve that this SRU should proceed despite the verification for this bug failing. As Steve mentioned, there are no new regressions caused by this failed verification. The bug is simply not fixed yet.

This SRU addresses a large number of other issues that are greatly impacting 14.04 users and it would be unfortunate if they had to wait longer for the fixes provided by this SRU.

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Steve Beattie (sbeattie) on 2015-06-15
Changed in apparmor (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → High
Chris J Arges (arges) wrote :

Please verify apparmor_2.8.95~2430-0ubuntu5.3 in trusty. Thanks

tags: added: verification-needed
removed: verification-failed
Steve Beattie (sbeattie) wrote :

The dovecot profiles were addressed in apparmor 2.9.2 or earlier, closing that portion of this bug.

Changed in apparmor:
status: New → Fix Released
Mathew Hodson (mathew-hodson) wrote :

I ran dovecot-core 1:2.2.9-1ubuntu2.1 with apparmor-profiles 2.8.95~2430-0ubuntu5.3 and didn't get any errors in mail.log or complaints from apparmor.

$ sudo aa-status
apparmor module is loaded.
49 profiles are loaded.
16 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/sbin/rsyslogd
   /usr/sbin/tcpdump
33 profiles are in complain mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
9 processes have profiles defined.
2 processes are in enforce mode.
   /sbin/dhclient (30347)
   /usr/sbin/rsyslogd (421)
7 processes are in complain mode.
   /usr/lib/dovecot/anvil (23852)
   /usr/lib/dovecot/config (23855)
   /usr/lib/dovecot/log (23853)
   /usr/sbin/avahi-daemon (594)
   /usr/sbin/avahi-daemon (595)
   /usr/sbin/dnsmasq (1583)
   /usr/sbin/dovecot (23851)
0 processes are unconfined but have a profile defined.

Changed in apparmor (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.3

---------------
apparmor (2.8.95~2430-0ubuntu5.3) trusty-proposed; urgency=medium

  * debian/apparmor-profiles.install: add missing dovecot profiles
    (LP: #1296667)

 -- Steve Beattie <email address hidden> Fri, 12 Jun 2015 23:21:58 -0700

Changed in apparmor (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers