/usr/lib/dovecot/dovecot-lda: "Failed name lookup - disconnected path"

Bug #1650827 reported by Hadmut Danisch on 2016-12-18
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
2.10
Undecided
Unassigned
2.9
Undecided
Unassigned
apparmor (Ubuntu)
High
Unassigned

Bug Description

Hi,

I'm currently trying to use dovecot in a test scenario, but run into the problem of a strange malfunction of apparmor.

What I do:

installed packages dovecot-core and dovecot-lmtp
(and of course apparmor)

Then I do (as root)

/usr/lib/dovecot/dovecot-lda -d hadmut <<ENDE
Subject: test

blabla
ENDE

which fails. strace shows:

14353 connect(6, {sa_family=AF_LOCAL, sun_path="/var/run/dovecot/config"}, 110) = -1 EACCES (Permission denied)

...

14353 connect(7, {sa_family=AF_LOCAL, sun_path="/var/run/dovecot/auth-userdb"}, 110) = -1 EACCES (Permission denied)

although file permissions are good, unix sockets exist and daemons are listening.

/var/log/kern.log says

Dec 18 01:09:45 monstrum kernel: [34849.052767] audit: type=1400 audit(1482019785.088:143): apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/dovecot-lda" name="run/dovecot/config" pid=15664 comm="dovecot-lda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Dec 18 01:09:45 monstrum kernel: [34849.055652] audit: type=1400 audit(1482019785.092:144): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/dovecot-lda" name="/usr/share/dovecot/protocols.d/" pid=15664 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 18 01:09:45 monstrum kernel: [34849.065203] audit: type=1400 audit(1482019785.100:145): apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/dovecot-lda" name="run/dovecot/auth-userdb" pid=15664 comm="dovecot-lda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=134

which strangely says ALLOWED, but error=-13 as well,

and that even if dovecot-lda is in complain mode.

But when I put it into disable mode with

aa-disable /usr/lib/dovecot/dovecot-lda

then things work.

So

- it is definitely apparmor related, since aa-disable turns the problem off,
- it looks like a bug since aa-complain should never block anything,
- an ALLOWED-log should not blog
- there's an error=-13

regards

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor-profiles 2.10.95-0ubuntu2.5
ProcVersionSignature: Ubuntu 4.4.0-53.74-generic 4.4.30
Uname: Linux 4.4.0-53-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.2
Architecture: amd64
CurrentDesktop: LXDE
Date: Sun Dec 18 01:06:15 2016
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.4.0-53-generic root=UUID=3e286927-f1b6-4954-8b0d-7cf23484309f ro rootflags=subvol=@ splash quiet vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to xenial on 2016-04-06 (255 days ago)

Hadmut Danisch (hadmut) wrote :

Same problem here

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Ueli (vogtuh) wrote :

I had the problem with the part:
apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/dovecot-lda" name="run/dovecot/auth-userdb" pid=15664 comm="dovecot-lda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=134

After modifying rsp. udating the file /etc/apparmor.d/tunables/devecot with the place where I'm storing the mails it was working

Christian Boltz (cboltz) wrote :

Thanks for the report!

I commited the updated profile to bzr trunk r3651, 2.10 branch r3391 and 2.9 branch r3056.

If you want to update your profile locally, the needed changes are:

-/usr/lib/dovecot/dovecot-lda {
+/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {

+ /run/dovecot/auth-userdb rw,
+ /usr/share/dovecot/protocols.d/ r,

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.11.1
Changed in apparmor (Ubuntu):
importance: Undecided → High
Martin Pitt (pitti) on 2017-05-02
summary: - "Failed name lookup - disconnected path"
+ /usr/lib/dovecot/dovecot-lda: "Failed name lookup - disconnected path"
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers