dovecot/apparmor: profile not found

I am experiencing this as well on my 14.04 LTS installation.

Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.524945] type=1400 audit(1402265430.441:10760): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap-login" name="/run/dovecot/anvil" pid=16455 comm="imap-login" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.635272] type=1400 audit(1402265430.549:10761): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap" name="/run/dovecot/config" pid=16456 comm="imap" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.635983] type=1400 audit(1402265430.549:10762): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap" name="/run/dovecot/auth-master" pid=16456 comm="imap" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

I have my imap services in 'complain' mode though, so they are not being halted. services continue to run.

Some of those issues were already fixed in the upstream profiles. For the remaining issues, I just sent patches to the mailinglist for review.

This will be fixed in wily with apparmor 2.9.2-0ubuntu1. Attached is patch to update the dovecot profiles for a trusty SRU.

The attachment "profiles-dovecot-updates-lp1296667.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

This bug was fixed in the package apparmor - 2.9.2-0ubuntu1

---------------
apparmor (2.9.2-0ubuntu1) wily; urgency=medium

  * Update to apparmor 2.9.2
    - Fix minitools to work with multiple profiles at once (LP: #1378095)
    - Parse mounts that have non-ascii UTF-8 chars (LP: #1310598)
    - Update dovecot profiles (LP: #1296667)
    - Allow ubuntu-helpers to build texlive fonts (LP: #1010909)
  * dropped patches incorporated upstream:
    add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch
    parser-fix_modifier_compilation_+_tests.patch,
    tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch,
    GDM_X_authority-lp1432126.patch, and
    debian/patches/easyprof-framework-policy.patch
  * Partial merge with debian apparmor package:
    - debian/rules: enable the bindnow hardening flag during build.
    - debian/upstream/signing-key.asc: add new upstream public
      signing key
    - debian/watch: fix watch file, add gpg signature checking
    - install libapparmor.so dev symlink under /usr not /lib
    - debian/patches/reproducible-pdf.patch: make techdoc.pdf
      reproducible even in face of timezone variations.
    - debian/control: sync fields
    - debian/debhelper/postrm-apparmor: remove
      /etc/apparmor.d/{disable,} on package purge
    - debian/libapache2-mod-apparmor.postrm: on package purge, delete
      /etc/apparmor.d/{,disable} if empty
    - debian/libapparmor1.symbols: Use Build-Depends-Package in the
      symbols file.
    - debian/copyright: sync

 -- Steve Beattie <email address hidden> Mon, 11 May 2015 22:03:04 -0700

Unfortunately, while preparing the fix for this, I did not take into account that the debian/apparmor-profiles.install file needed to be updated to take the additional missing profiles into account. Marking verification-failed.

However, failing to install the additional dovecot profiles does not cause any regressions, it just causes this bug to not be fixed by the version of apparmor in trusty-proposed. Given that apparmor 2.8.95~2430-0ubuntu5.2 in trusty-proposed succeeds in addressing several other issues (see bug 1449769 for a partial list), I'd like to see that version pushed to trusty-updates and then have an additional apparmor update go into trusty-proposed that correctly fixes this bug; I'm attaching the debdiff that would do that.

I agree with Steve that this SRU should proceed despite the verification for this bug failing. As Steve mentioned, there are no new regressions caused by this failed verification. The bug is simply not fixed yet.

This SRU addresses a large number of other issues that are greatly impacting 14.04 users and it would be unfortunate if they had to wait longer for the fixes provided by this SRU.

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Please verify apparmor_2.8.95~2430-0ubuntu5.3 in trusty. Thanks

The dovecot profiles were addressed in apparmor 2.9.2 or earlier, closing that portion of this bug.

I ran dovecot-core 1:2.2.9-1ubuntu2.1 with apparmor-profiles 2.8.95~2430-0ubuntu5.3 and didn't get any errors in mail.log or complaints from apparmor.

$ sudo aa-status
apparmor module is loaded.
49 profiles are loaded.
16 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/sbin/rsyslogd
   /usr/sbin/tcpdump
33 profiles are in complain mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
9 processes have profiles defined.
2 processes are in enforce mode.
   /sbin/dhclient (30347)
   /usr/sbin/rsyslogd (421)
7 processes are in complain mode.
   /usr/lib/dovecot/anvil (23852)
   /usr/lib/dovecot/config (23855)
   /usr/lib/dovecot/log (23853)
   /usr/sbin/avahi-daemon (594)
   /usr/sbin/avahi-daemon (595)
   /usr/sbin/dnsmasq (1583)
   /usr/sbin/dovecot (23851)
0 processes are unconfined but have a profile defined.

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.3

---------------
apparmor (2.8.95~2430-0ubuntu5.3) trusty-proposed; urgency=medium

  * debian/apparmor-profiles.install: add missing dovecot profiles
    (LP: #1296667)

 -- Steve Beattie <email address hidden> Fri, 12 Jun 2015 23:21:58 -0700