Dovecot's apparmor profile breaks dovecot-antispam

Bug #482080 reported by Brice Arnould on 2009-11-13
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
dovecot-antispam (Ubuntu)

Bug Description

Binary package hint: dovecot-antispam

On my Ubuntu 9.10 ; with the following versions of the packages installed :
dovecot-antispam : 1.1+20090218.git.g28075fa-2
apparmor-profiles : 2.3.1+1403-0ubuntu27.1

The antispam plugins tries to use folders in /tmp/ (like "/tmp/antispam-mail-QXCQTR/" ) as a temporary storage zone. But it is prevented from doing so by apparmor
| dmesg |tail
| [553173.563468] type=1502 audit(1258103977.311:86928): operation="mkdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/"
| [553173.563884] type=1502 audit(1258103977.311:86929): operation="rmdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/"
| [...]

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dovecot-antispam (Ubuntu):
status: New → Confirmed
Simon Déziel (sdeziel) wrote :

This is also affecting Lucid.

Simon Déziel (sdeziel) wrote :

As a temporary workaround, I've added this to /etc/apparmor.d/usr.lib.dovecot.imap

  # dovecot-antispam plugin
  owner /tmp/** rwkl,
  owner /tmp/antispam-mail-*/* klrw,

  # dovecot-antispam pipes to sendmail
  /usr/sbin/sendmail PUx,

Simon Déziel (sdeziel) wrote :

In fact the following is enough :

  # dovecot-antispam plugin
  owner /tmp/** rwkl,

  # dovecot-antispam pipes to sendmail
  /usr/sbin/sendmail PUx,

Long dormant, I just came by accidentally and realized it was missed on the last merge since it is a change in dovecot that is needed.
Adding the right bug task to hopefully be picked up next time.

While working on the minor merge for Dovecot I realized that this profile is in fact part of apparmor profiles :-/
So I flagged wrong last November - adding apparmor now.

no longer affects: dovecot (Ubuntu)

Would be profiles/apparmor.d/usr.lib.dovecot.imap in the apparmor package.
But after all the time we might need a check if things still apply.

Also might in a different setup the same entries might be needed in usr.lib.dovecot.pop3 or such.
And in that case maybe rather abstractions/dovecot-common?

And finally I don't know if
  owner /tmp/** rwkl,
Is too open?
Looking at the logs maybe rather:
  owner /tmp/antispam-mail** rwkl,

Christian Boltz (cboltz) wrote :

I'd even recommend to restrict it a bit more:

  owner /tmp/antispam-mail*/ rw,
  owner /tmp/antispam-mail*/* rwkl,

sendmail might be a candidate for a child profile. Such a (maybe too generous) profile already exists in the dovecot-lda profile, so cleaning it up and removing permissions that are not needed for "just" sending a mail might be a good idea.

I won't object if you provide a generic sendmail profile that we can Px into (feel free to use the child profile in dovecot-lda as a base), but that needs much more testing before shipping and enforcing it in the default setup.

tags: added: aa-policy
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers