/usr/lib/dovecot/dovecot-lda: "Failed name lookup - disconnected path"

Bug #1650827 reported by Hadmut Danisch
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
2.10
Fix Released
Undecided
Unassigned
2.9
Fix Released
Undecided
Unassigned
apparmor (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Hi,

I'm currently trying to use dovecot in a test scenario, but run into the problem of a strange malfunction of apparmor.

What I do:

installed packages dovecot-core and dovecot-lmtp
(and of course apparmor)

Then I do (as root)

/usr/lib/dovecot/dovecot-lda -d hadmut <<ENDE
Subject: test

blabla
ENDE

which fails. strace shows:

14353 connect(6, {sa_family=AF_LOCAL, sun_path="/var/run/dovecot/config"}, 110) = -1 EACCES (Permission denied)

...

14353 connect(7, {sa_family=AF_LOCAL, sun_path="/var/run/dovecot/auth-userdb"}, 110) = -1 EACCES (Permission denied)

although file permissions are good, unix sockets exist and daemons are listening.

/var/log/kern.log says

Dec 18 01:09:45 monstrum kernel: [34849.052767] audit: type=1400 audit(1482019785.088:143): apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/dovecot-lda" name="run/dovecot/config" pid=15664 comm="dovecot-lda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Dec 18 01:09:45 monstrum kernel: [34849.055652] audit: type=1400 audit(1482019785.092:144): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/dovecot-lda" name="/usr/share/dovecot/protocols.d/" pid=15664 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 18 01:09:45 monstrum kernel: [34849.065203] audit: type=1400 audit(1482019785.100:145): apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/dovecot-lda" name="run/dovecot/auth-userdb" pid=15664 comm="dovecot-lda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=134

which strangely says ALLOWED, but error=-13 as well,

and that even if dovecot-lda is in complain mode.

But when I put it into disable mode with

aa-disable /usr/lib/dovecot/dovecot-lda

then things work.

So

- it is definitely apparmor related, since aa-disable turns the problem off,
- it looks like a bug since aa-complain should never block anything,
- an ALLOWED-log should not blog
- there's an error=-13

regards

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor-profiles 2.10.95-0ubuntu2.5
ProcVersionSignature: Ubuntu 4.4.0-53.74-generic 4.4.30
Uname: Linux 4.4.0-53-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.2
Architecture: amd64
CurrentDesktop: LXDE
Date: Sun Dec 18 01:06:15 2016
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.4.0-53-generic root=UUID=3e286927-f1b6-4954-8b0d-7cf23484309f ro rootflags=subvol=@ splash quiet vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to xenial on 2016-04-06 (255 days ago)

Revision history for this message
Hadmut Danisch (hadmut) wrote :
Revision history for this message
Jos Zonneveld (jos-fam-zonneveld) wrote :

Same problem here

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Ueli (vogtuh) wrote :

I had the problem with the part:
apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/dovecot-lda" name="run/dovecot/auth-userdb" pid=15664 comm="dovecot-lda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=134

After modifying rsp. udating the file /etc/apparmor.d/tunables/devecot with the place where I'm storing the mails it was working

Revision history for this message
Christian Boltz (cboltz) wrote :

Thanks for the report!

I commited the updated profile to bzr trunk r3651, 2.10 branch r3391 and 2.9 branch r3056.

If you want to update your profile locally, the needed changes are:

-/usr/lib/dovecot/dovecot-lda {
+/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {

+ /run/dovecot/auth-userdb rw,
+ /usr/share/dovecot/protocols.d/ r,

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.11.1
Changed in apparmor (Ubuntu):
importance: Undecided → High
Martin Pitt (pitti)
summary: - "Failed name lookup - disconnected path"
+ /usr/lib/dovecot/dovecot-lda: "Failed name lookup - disconnected path"
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers