AppArmor

Base abstraction for writing to the systemd journal doesn't work

Bug #1605855 reported by Mark Wadham on 2016-07-23

This bug report is a duplicate of: Bug #1652131: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Incomplete	Undecided	Unassigned

Bug Description

The base abstractions file contains:

/{,var/}run/systemd/journal/dev-log w,

and the usr.lib.dovecot.log profile includes this:

#include <tunables/global>

/usr/lib/dovecot/log flags=(complain) {
#include <abstractions/base>
#include <abstractions/dovecot-common>

/usr/lib/dovecot/log mr,

# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.log>
}

but it doesn't seem to work, despite reloading the profile I get:

Jul 23 11:23:40 a kernel: [69753.983562] audit: type=1400 audit(1469269420.312:14712): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=6223 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Tags:

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-10-13:

Sounds like you'll need to add
flags=(attach_disconnected)
to your dovecot/log profile.

Interestingly, I've never seen this (I'm using dovecot on several openSUSE servers), so I wonder if it is specific to your system or if we need to adjust the official profile.

tags:

added: aa-policy

Revision history for this message

intrigeri (intrigeri) wrote on 2017-06-30:

Mark, ping?

Christian: perhaps your servers don't start dovecot with the same namespacing (done e.g. by systemd) as Mark's :)

Changed in apparmor:
status:	New → Incomplete

Revision history for this message

Christian Boltz (cboltz) wrote on 2017-06-30:

There was another report about this, see bug 1652131. I already added the attach_disconnected flag while fixing that one ;-)

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1652131 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.