Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot

Bug #1652131 reported by Nathaniel Homier on 2016-12-22
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Christian Boltz
2.10
Undecided
Christian Boltz
2.9
Undecided
Christian Boltz
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.10
Release: 16.10
Codename: yakkety

Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html

Then setting all apparmor profiles including Postfix and Dovecot to enforce mode.

Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private.

Syslog
apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130

apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130

Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1

description: updated
summary: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks
- access to /var/spool/private/auth so Postfix and Dovecot can't send TLS
- protected emails
+ access to /var/spool/private/auth for Dovecot

Launchpad acting weird. Won't select the right package which is apparmor.

affects: dpkg (Ubuntu) → apparmor (Ubuntu)
Christian Boltz (cboltz) wrote :

profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" denied_mask="w"

That's already covered by the latest upstream profile.

profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" denied_mask="wr"
profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" denied_mask="w"

That translates to:
  /{var/,}run/dovecot/anvil-auth-penalty rw,
  /var/spool/postfix/private/auth w,

info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log"

You'll need to add flags=(attach_disconnected) to the dovecot/log profile.

Patch sent to upstream mailinglist for review.

Changed in apparmor:
assignee: nobody → Christian Boltz (cboltz)
Christian Boltz (cboltz) wrote :

Fixed in upstream AppArmor bzr - trunk r3607, 2.10 branch r3376 and 2.9 branch r3042.

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.11
Christian Boltz (cboltz) on 2017-01-10
Changed in apparmor:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers