Ubuntu
apparmor package

Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot

Bug #1652131 reported by Nathaniel Homier
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Christian Boltz
AppArmor 2.11
2.10
Fix Released
Undecided
Christian Boltz
AppArmor 2.10.2
2.9
Fix Released
Undecided
Christian Boltz
AppArmor 2.9.4
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.10
Release: 16.10
Codename: yakkety

Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html

Then setting all apparmor profiles including Postfix and Dovecot to enforce mode.

Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private.

Syslog
apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130

apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130

Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1

See original description
Revision history for this message
Nathaniel Homier (mechamechanism) wrote :
description: updated
summary: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks
- access to /var/spool/private/auth so Postfix and Dovecot can't send TLS
- protected emails
+ access to /var/spool/private/auth for Dovecot
Revision history for this message
Nathaniel Homier (mechamechanism) wrote :

Launchpad acting weird. Won't select the right package which is apparmor.

affects: dpkg (Ubuntu) → apparmor (Ubuntu)
Revision history for this message
Christian Boltz (cboltz) wrote :

profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" denied_mask="w"

That's already covered by the latest upstream profile.

profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" denied_mask="wr"
profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" denied_mask="w"

That translates to:
  /{var/,}run/dovecot/anvil-auth-penalty rw,
  /var/spool/postfix/private/auth w,

info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log"

You'll need to add flags=(attach_disconnected) to the dovecot/log profile.

Patch sent to upstream mailinglist for review.

Changed in apparmor:
assignee: nobody → Christian Boltz (cboltz)
Revision history for this message
Christian Boltz (cboltz) wrote :

Fixed in upstream AppArmor bzr - trunk r3607, 2.10 branch r3376 and 2.9 branch r3042.

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.11
Christian Boltz (cboltz)
Changed in apparmor:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.