dovecot imap broken by apparmor policy

This looks like it could be an apparmor bug instead of dovecot bug, it just happens to manifest itself with dovecot. Adding "apparmor" in "affects".

Status changed to 'Confirmed' because the bug affects multiple users.

Thank you for using Ubuntu and reporting a bug. The 'null' lines are used when the profile is in complain mode. The apparmor log message states that the access was allowed, so I am not sure why it would be getting in the way.

Can you provide exact steps on how to reproduce this?

Marking the dovecot task Invalid for now-- the apparmor profile is not shipped by default or enabled by dovecot and if there is a problem, it is with apparmor.

Also, can you perform the following after seeing the error condition?
$ apport-collect 997269

This will provide logs and system information needed for diagnosing the problem.

apport information

apport information

apport information

apport information

apport information

Thanks for the extra information. Can you also attach the output of:
$ sudo aa-status

I am able to reproduce this on a fresh install some times but not reliably. It would be great if someone who has some apparmor experience could have a look at this.

Steps to re-produce:

1. Install Ubuntu 12.04 Server from amd64 ISO in a virtual machine and make sure it is up to date:
# apt-get update && apt-get upgrade
# reboot

2. Install dovecot imapd and fetchmail for testing:
# apt-get install dovecot-imapd fetchmail
(I possibly needed to issue "service dovecot start" separately.)

3. Create user who receives mail:
# adduser foobar

4. Make mail directories for the user:
# mkdir -p /home/foobar/Maildir/{cur,new,tmp}

5. Send one e-mail to our user:
# (echo From: foo; echo; echo bar) > /home/foobar/Maildir/new/foo

6. Ensure correct ownership:
# chown -R foobar /home/foobar/Maildir

7. Try to retrieve the mail:
# fetchmail --user foobar --mda cat localhost
Observe success. Ignore warning about certificate. The mail should be output to stdout.

8. Install apparmor-profiles:
# apt-get install apparmor-profiles

9. Reboot to ensure fresh state:
# reboot

10. Send another e-mail:
# (echo From: foo; echo; echo bar) > /home/foobar/Maildir/new/foo2

11. Again, change ownership:
# chown foobar /home/foobar/Maildir/new/foo2

12. Try fetching mail again:
# fetchmail --user foobar --mda cat localhost
You may or may not see a failure here.

13. If there was no failure, open another terminal and log in as foobar, and create a pile of e-mails:
while true ; do ( echo From: foo; echo; echo bar ) > /home/foobar/Maildir/new/foo$SECONDS.$RANDOM ; done
Hit ctrl-C after some time.

14. Try fetching mail again:
# fetchmail --user foobar --mda cat localhost

15. If there was no failure, repeat steps 13 and 14 until the failure is observed. There will be error entries in /var/log/mail.err when the problem appears.

On 07/08/2012 09:02 PM, Jamie Strandboge wrote:
> Thanks for the extra information. Can you also attach the output of:
> $ sudo aa-status

This is already there, in the attachment ApparmorStatusOutput.txt

[Expired for apparmor (Ubuntu) because there has been no activity for 60 days.]

thanks for explanation and workaround. Helped me to solve it on 12.10

Is this still a problem with Ubuntu 14.04? The dovecot profiles received a number of updates since this bug was reported.

I am seeing this in 13.10 server.

[Expired for apparmor (Ubuntu) because there has been no activity for 60 days.]

For me it has been fixed by 14.04 and can now run with the different dovecot apparmor profiles swithed on

In 14.04, the profile usr.lib.dovecot.imap-login does not allow the process to read from /var/run/dovecot/config, causing the client to see tls handshake timeouts if that profile is in enforce mode. Should I open a new bug?

Vin, this should be fixed since AppArmor bzr r2548 (but didn't make it into 14.04 yet).

You can get the latest profile from to http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/files/head:/profiles/apparmor.d/ - download usr.lib.dovecot.imap-login and abstractions/dovecot-common (newly added and required by the updated imap-login profile).

If it works with the updated profile, please add a short success message here. Otherwise (or if you notice more/other issues), please open a new bugreport and add a pointer to the new report here.

Hm, a fix was released... Can we have more info on what was fixed in apparmor itself ? (which commit, and which ubuntu/debian package/version) ?
My server is in 12.04.1 LTS and I don't want to upgrade the whole system it only for this, so I need more info.

I just upgraded my apparmor package from 2.7.102-0ubuntu3.7 to 2.7.102-0ubuntu3.10 ... But the changelog does not seem to list this bug as fixed::

  * 0022-aa-logprof-PUx_rewrite_fix-lp982619.patch: fix aa-logprof
    rewrite of PUx modes (LP: #982619)
  * 0023-lp1091642-parser-reset_matchflags.patch: prevent reuse of
    matchflags in parser dfa backend and add testcase demonstrating
    the problem (LP: #1091642)
  * 0024-profiles-allow_exo-open-lp987578.patch: allow exo-open to work
    within ubuntu-integration (LP: #987578)

Also, the current bug thread is not clear about if this is related to apparmor-profile or to an apparmor bug.

But, I don't have any apparmor-profile package installed and I am experiencing this issue randomly.

Namely:

Feb 26 10:45:36 mail dovecot: imap(foobar): Error: fcntl(unlock) locking failed for file /home/foobar/.mail/dovecot.index.log: No such file or directory
Feb 26 10:45:36 mail dovecot: imap(foobar): Error: fstat() failed with file /home/foobar/.mail/dovecot.index.log: No such file or directory
Feb 26 10:47:00 dovecot: last message repeated 15 times

Many thanks if anybody as any info on this topic.

Valentin, do you have any DENIED messages from AppArmor in your dmesg output, /var/log/syslog, or /var/log/audit/audit.log files?

Thanks