Dovecot and Apparmor complains at operation file_inherit

Bug #1703821 reported by Matyáš Koc on 2017-07-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned
dovecot (Ubuntu)
Undecided
Unassigned

Bug Description

My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0). Apparmor is still complaining about problems with file_inherit. I have put the profiles in complain-only mode, so I can continue, but still, it's a problem.

Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot"

Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil"

My configuration of Dovecot has changed slightly:

/etc/dovecot/dovecot-sql.conf.ext
   driver = mysql
   connect = host=localhost dbname=mail user=mail password=mailpassword
   default_pass_scheme = MD5-CRYPT
   password_query = ...
   user_query = ...

/etc/dovecot/conf.d/10-auth.conf
   disable_plaintext_auth = yes
   auth_mechanisms = plain login
   #!include auth-system.conf.ext
   !include auth-sql.conf.ext

/etc/dovecot/conf.d/10-mail.conf
   mail_location = maildir:/var/vmail/%d/%n
   mail_uid = vmail
   mail_gid = mail
   first_valid_uid = 150
   last_valid_uid = 150

/etc/dovecot/conf.d/10-ssl.conf
   ssl = required
   ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
   ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
   ssl_dh_parameters_length = 4096
   ssl_protocols = ...
   ssl_cipher_list = ...
   ssl_prefer_server_ciphers = yes

/etc/dovecot/conf.d/10-master.conf
   service auth {
     unix_listener auth-userdb {
       mode = 0666
       user = vmail
       group = mail
     }
     unix_listener /var/spool/postfix/private/auth {
       mode = 0666
       user = postfix
       group = postfix
     }
   }

/etc/dovecot/conf.d/15-lda.conf
   postmaster_address = ...

Apparmor usr.sbin.dovecot profile:

#include <tunables/global>

/usr/sbin/dovecot flags=(complain,attach_disconnected) {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/dovecot-common>
  #include <abstractions/mysql>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>
  #include <abstractions/ssl_keys>

  capability chown,
  capability dac_override,
  capability fsetid,
  capability kill,
  capability net_bind_service,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  /etc/dovecot/** r,
  /etc/mtab r,
  /etc/lsb-release r,
  /etc/SuSE-release r,
  @{PROC}/@{pid}/mounts r,
  /usr/bin/doveconf rix,
  /usr/lib/dovecot/anvil Px,
  /usr/lib/dovecot/auth Px,
  /usr/lib/dovecot/config Px,
  /usr/lib/dovecot/dict Px,
  /usr/lib/dovecot/dovecot-auth Pxmr,
  /usr/lib/dovecot/imap Pxmr,
  /usr/lib/dovecot/imap-login Pxmr,
  /usr/lib/dovecot/lmtp Px,
  /usr/lib/dovecot/log Px,
  /usr/lib/dovecot/managesieve Px,
  /usr/lib/dovecot/managesieve-login Pxmr,
  /usr/lib/dovecot/pop3 Px,
  /usr/lib/dovecot/pop3-login Pxmr,
  /usr/lib/dovecot/ssl-build-param rix,
  /usr/lib/dovecot/ssl-params Px,
  /usr/sbin/dovecot mrix,
  /usr/share/dovecot/protocols.d/ r,
  /usr/share/dovecot/protocols.d/** r,
  /var/lib/dovecot/ w,
  /var/lib/dovecot/* rwkl,
  /var/spool/postfix/private/auth w,
  /var/spool/postfix/private/dovecot-lmtp w,
  /{,var/}run/dovecot/ rw,
  /{,var/}run/dovecot/** rw,
  link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.dovecot>
}

Profile usr.lib.dovecot.anvil:

#include <tunables/global>

/usr/lib/dovecot/anvil flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/dovecot-common>

  capability setuid,
  capability sys_chroot,

  /usr/lib/dovecot/anvil mr,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.lib.dovecot.anvil>
}

Matyáš Koc (vilican) on 2017-07-12
affects: apparmor → apparmor (Ubuntu)
Seth Arnold (seth-arnold) wrote :

I'm surprised about the "addr=none peer_addr=none" -- any idea what's going on here?

Thanks

John Johansen (jjohansen) wrote :

Its an anonymous socket. The best you can do is

to /usr/sbin/dovecot/anvil add
  unix (send, receive) peer=(label=/usr/sbin/dovecot),

to /usr/sbin/dovecot add
  unix (send, receive) peer=(label=/usr/sbin/dovecot/anvil),

Matyáš Koc (vilican) wrote :

It is suprising for me too, as I don't know about this problem on 16.04 LTS and I could not reproduce it. It was probably introduced in 17.04 or around that.

I have done some experimenting now and I managed to find out that the problem is caused only by profile for /usr/lib/dovecot/anvil (not dovecot profile itself). Also, adding just "singal," to the profile didn't work.

John Johansen (jjohansen) wrote :

This is caused by an anonymous socket communication channel between dovecot and anvil. If this problem is not happening in 16.04 (unless you are using the release kernel) then it will be because o a change to dovecot, newer versions of apparmor have been SRUed back to 16.04

Seth Arnold (seth-arnold) wrote :

Oh, I always forget that unix has _anonymous_ sockets too. Silly complicated things. Thanks John.

Matyáš Koc (vilican) wrote :

I applied the fix and it looks like it's all working now. I wan't aware of the anonymous sockets, so I was trying wrong things.

Thank you!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers