AppArmor

Dovecot's apparmor profile breaks dovecot-antispam

Bug #482080 reported by Brice Arnould
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned
apparmor (Ubuntu)
New
Undecided
Unassigned
dovecot-antispam (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: dovecot-antispam

On my Ubuntu 9.10 ; with the following versions of the packages installed :
dovecot-antispam : 1.1+20090218.git.g28075fa-2
apparmor-profiles : 2.3.1+1403-0ubuntu27.1

The antispam plugins tries to use folders in /tmp/ (like "/tmp/antispam-mail-QXCQTR/" ) as a temporary storage zone. But it is prevented from doing so by apparmor
| dmesg |tail
| [553173.563468] type=1502 audit(1258103977.311:86928): operation="mkdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/"
| [553173.563884] type=1502 audit(1258103977.311:86929): operation="rmdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/"
| [...]

Tags: aa-policy
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dovecot-antispam (Ubuntu):
status: New → Confirmed
Revision history for this message
Simon Déziel (sdeziel) wrote :

This is also affecting Lucid.

Revision history for this message
Simon Déziel (sdeziel) wrote :

As a temporary workaround, I've added this to /etc/apparmor.d/usr.lib.dovecot.imap

  # dovecot-antispam plugin
  owner /tmp/** rwkl,
  owner /tmp/antispam-mail-*/* klrw,

  # dovecot-antispam pipes to sendmail
  /usr/sbin/sendmail PUx,

Revision history for this message
Simon Déziel (sdeziel) wrote :

In fact the following is enough :

  # dovecot-antispam plugin
  owner /tmp/** rwkl,

  # dovecot-antispam pipes to sendmail
  /usr/sbin/sendmail PUx,

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Long dormant, I just came by accidentally and realized it was missed on the last merge since it is a change in dovecot that is needed.
Adding the right bug task to hopefully be picked up next time.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

While working on the minor merge for Dovecot I realized that this profile is in fact part of apparmor profiles :-/
So I flagged wrong last November - adding apparmor now.

no longer affects: dovecot (Ubuntu)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Would be profiles/apparmor.d/usr.lib.dovecot.imap in the apparmor package.
But after all the time we might need a check if things still apply.

Also might in a different setup the same entries might be needed in usr.lib.dovecot.pop3 or such.
And in that case maybe rather abstractions/dovecot-common?

And finally I don't know if
  owner /tmp/** rwkl,
Is too open?
Looking at the logs maybe rather:
  owner /tmp/antispam-mail** rwkl,

Revision history for this message
Christian Boltz (cboltz) wrote :

I'd even recommend to restrict it a bit more:

  owner /tmp/antispam-mail*/ rw,
  owner /tmp/antispam-mail*/* rwkl,

sendmail might be a candidate for a child profile. Such a (maybe too generous) profile already exists in the dovecot-lda profile, so cleaning it up and removing permissions that are not needed for "just" sending a mail might be a good idea.

I won't object if you provide a generic sendmail profile that we can Px into (feel free to use the child profile in dovecot-lda as a base), but that needs much more testing before shipping and enforcing it in the default setup.

tags: added: aa-policy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.