Deziel <simon.dez...@gmail.com> Bcc: Subject: Re: Bug#837656: icedove: apparmor still blocking local movemail Reply-To: In-Reply-To: <147376605188.7859.18188341067345011210.reportbug@localhost.localdomain>
Hello Ximin, at least me has no knowledge about apparmor, so I including the upstream author Simon Deziel to the recipients. On Tue, Sep 13, 2016 at 01:27:31PM +0200, Ximin Luo wrote: > Package: icedove > Version: 1:45.2.0-4+b1 > Severity: important > > Dear Maintainer, > > movemail is still getting blocked by apparmor: > > [ +9.515262] audit: type=1400 audit(1473764643.385:763839): > apparmor="DENIED" operation="file_lock" profile="icedove" > name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" > denied_mask="k" fsuid=1000 ouid=1000 > [ +1.000891] audit: type=1400 audit(1473764644.389:763840): > apparmor="DENIED" operation="file_lock" profile="icedove" > name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" > denied_mask="k" fsuid=1000 ouid=1000 > [ +1.000920] audit: type=1400 audit(1473764645.389:763841): > apparmor="DENIED" operation="file_lock" profile="icedove" > name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" > denied_mask="k" fsuid=1000 ouid=1000 > [ +1.000986] audit: type=1400 audit(1473764646.389:763842): > apparmor="DENIED" operation="file_lock" profile="icedove" > name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" > denied_mask="k" fsuid=1000 ouid=1000 > [ +1.000920] audit: type=1400 audit(1473764647.389:763843): > apparmor="DENIED" operation="file_lock" profile="icedove" > name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" > denied_mask="k" fsuid=1000 ouid=1000 > > Furthermore the icedove/thunderbird error message contains very dangerous > advice: > > "Unable to create lock file /var/spool/mail/infinity0.lock. For movemail to > work, it is necessary to create lock files in the mail spool directory. On > many systems, this is best accomplished by making the spool directory be mode > 01777." > > Setting it to 01777 would allow anyone to delete everyone's mail. > > Instead, a better fix is: > > /etc/apparmor.d/usr.bin.icedove: > # system emails > - owner /var/mail/* rw, > + owner /var/mail/* rwlk, > > then `service apparmor reload` and restart icedove Simon, what's the thoughts about this change from you? We already had one report about this (similar?) issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833184 Regards Carsten
