apparmor messages everywhere

Bug #1594202 reported by luca on 2016-06-19
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
Medium
Unassigned

Bug Description

Hi, I'm using dovecot on a computer that I use as half server, half media center, and I get a lot of popup messages of AppArmor complaining about dovecot processes doing stuff.

Looking at the kern.log as stated in the messages, I can see stuff like these:

Jun 20 01:49:24 omicron kernel: [ 962.491873] audit: type=1400 audit(1466380164.941:90): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=2175 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Or:

Jun 20 01:41:24 omicron kernel: [ 482.417903] audit: type=1400 audit(1466379684.909:72): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=5203 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

This is extremely annoying. I'm not an expert writing rules for apparmor, but I have the feeling I shouldn't need to, at least from a very shallow look it seems like those operations are legal and needed for dovecot to operate, so why aren't included in the shipped aparmor profiles?

Thanks!

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. You did not provide any version information. Please execute the following command only once, as it will automatically gather debugging information, in a terminal:
apport-collect 1594202

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Robie Basak (racb) wrote :

Once done, please change the bug status back to New. Thanks!

Changed in dovecot (Ubuntu):
status: New → Incomplete
luca (llucax) wrote :

$ apport-collect 1594202
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
/usr/share/apport/apport-gtk:16: PyGIWarning: Wnck was imported without specifying a version first. Use gi.require_version('Wnck', '3.0') before import to ensure that the right version gets loaded.
  from gi.repository import GLib, Wnck, GdkX11, Gdk

(apport-gtk:2988): Gtk-CRITICAL **: gtk_settings_get_for_screen: assertion 'GDK_IS_SCREEN (screen)' failed
/usr/share/apport/apport-gtk:60: Warning: g_object_get_qdata: assertion 'G_IS_OBJECT (object)' failed
  'apport-gtk.ui'))
Segmentation fault (core dumped)

I'm on a console on ssh. This is why I haven't used report-bug.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

$ dpkg -l dovecot-core
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================================-=======================-=======================-==============================================================================
ii dovecot-core 1:2.2.22-1ubuntu2 amd64 secure POP3/IMAP server - core files

Changed in dovecot (Ubuntu):
status: Incomplete → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dovecot (Ubuntu):
status: New → Confirmed
Robie Basak (racb) on 2016-06-23
Changed in dovecot (Ubuntu):
importance: Undecided → Medium

Hi,
and as Robie said thanks for the report.
I tried to reproduce, but at least with dovecot as in "mail-stack-delivery" in its default conf it doesn't show up.
Yet I found that this very likely is related to a bug in apparmor - see bug 1373070

I asked there for guidance as they already identified various related issues and decided for temporary workarounds e.g. in cups.

Also the failing apport-collect is likely related to your mentioned "half server / half desktop" setup. If you can't find a solution for that you might want to chime in on bug 1542901 and provide some extra info there.

John Johansen (jjohansen) wrote :

The apparmor profile is tailored for the default dovecot install if you have a custom build or have tweaked the configuration the apparmor profile may need to be modified.

Can you tell how/where your dovecot came from, apt/snap/custom build

Can you please attach your dovecot configs so we can identify how your set up is different.

Robie Basak (racb) wrote :

Once you've replied, please change the bug status back to New.

Changed in dovecot (Ubuntu):
status: Confirmed → Incomplete
luca (llucax) wrote :

Attaching my dovecot configuration. I don't think I changed much, but I customized it a while ago.

luca (llucax) wrote :

> If you can't find a solution for that you might want to chime in on bug 1542901 and provide some extra info there.

Mmm, in that bug I see lots of messages about "disconnected path", but I don't have those.

Changed in dovecot (Ubuntu):
status: Incomplete → New
luca (llucax) wrote :

Sorry, I don't have **only** those.

Thanks for the feedback, and you likely meant bug 1373070 - the other one is about your apport not being able to report.

I have created a new KVM installed dovecot via mail-stack-delivery as I usually did and started to similarize our configurations.

I found that you had no mail-stack so I had to remove some configs I had - in others you had customized your system

I needed to drop:
/etc/dovecot/conf.d/20-lmtp.conf
/etc/dovecot/conf.d/20-pop3.conf
/etc/dovecot/conf.d/auth-ldap.conf.ext
/etc/dovecot/dovecot-ldap.conf.ext

And I adapted the following which differed
Diff:
dovecot/conf.d/10-ssl.conf
  adapted, enable ssl as required (except using self signed cert in my case)
dovecot/conf.d/20-imap.conf
  adapted (max connections)
dovecot/conf.d/10-mail.conf
  adapted, moving inbox to /var/mail
dovecot/conf.d/10-auth.conf
  adapted, disable plaintext auth

Finally I needed to add one that you had but I didn't:
./dovecot/dovecot-db.conf.ext
  This was only delivered in /usr/share in precise, and dropped since then - taking yours for now anyway despite I think Berkley DB support isn't existing atm.

Checking server and apparmor status with that after a full reboot:
No apparmor Denies.

I tested it a bit by conencting for imap, pop3 and smptp (postfix in that latter case) - but no matter what I didn't get any apparmor issues.

Here a log of what I see - all as it should be: http://paste.ubuntu.com/22147539/

I'd be interested in:
a) if you have a different report on "sudo apparmor_status"
b) if the messages you see are aligned to any activity like "receiving a mail"

All others were the same by md5sum.

Changed in dovecot (Ubuntu):
status: New → Incomplete
luca (llucax) wrote :

Hi, thanks for all the effort testing this! Very much appreciated.

a) Here is the output of apparmor_status (ran as root): https://paste.ubuntu.com/23062732/
b) Actually now is hard to see because I haven't been getting more apparmor messages lately, I'm not sure if because something got fixed in some upgrade or because I finally added some extra rules to the profile myself (without really knowing what I was doing).

The last messages I see in /var/log/kern.log are from July, and are the same as the one I reported here. I will attach all the files I have in /etc/apparmor.d/*dovecot* (I think I never change any files without dovecot in the name) in case you want to check if there is anything changed compared to what's distributed by Ubuntu.

PS: Now, and for some time now, I can only see apparmor messages complaining about chromium.

Robie Basak (racb) on 2016-08-17
Changed in dovecot (Ubuntu):
status: Incomplete → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dovecot (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers