Dovecot and Apparmor complains at operation file_inherit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Won't Fix
|
Undecided
|
Unassigned | ||
dovecot (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Low
|
Unassigned |
Bug Description
[Impact]
Users report that while running dovecot there are some issues reported
by AppArmor, specifically regarding "file_inherit" operations:
Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(149985907
Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(149985907
This is likely caused by an anonymous socket communication channel
between dovecot and anvil.
A fix in the dovecot AppArmor policy was already merged upstream
in commit 1ce8cd21, which is being backported in this SRU.
There was a change upstream that renamed the dovecot profile, so it was
necessary to make a small change on the backport to reference the
correct profile name.
[Test Plan]
Clone the qa-regression-
https:/
Setup the machine according to the instructions in the README.
Run the dovecot tests from the qa-regression-
python3 ./script test-dovecot.py
After running the tests, check dmesg for no DENIED messages:
dmesg | grep DENIED
[Where problems could occur]
This update broadens the dovecot policy, so it won't to cause any
issues regarding a behavior that was previously allowed and it is now
denied.
In addition, the dovecot policy is already in complain mode in
bionic.
affects: | apparmor → apparmor (Ubuntu) |
tags: | added: bitesize |
description: | updated |
Changed in apparmor (Ubuntu): | |
status: | Expired → Fix Released |
I'm surprised about the "addr=none peer_addr=none" -- any idea what's going on here?
Thanks