Hi Ximin and Carsten, On 2016-09-13 08:47 AM, Carsten Schoenert wrote: > Hello Ximin, > > at least me has no knowledge about apparmor, so I including the upstream > author Simon Deziel to the recipients. > > On Tue, Sep 13, 2016 at 01:27:31PM +0200, Ximin Luo wrote: >> Package: icedove >> Version: 1:45.2.0-4+b1 >> Severity: important >> >> Dear Maintainer, >> >> movemail is still getting blocked by apparmor: >> >> [ +9.515262] audit: type=1400 audit(1473764643.385:763839): >> apparmor="DENIED" operation="file_lock" profile="icedove" >> name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" >> denied_mask="k" fsuid=1000 ouid=1000 >> [ +1.000891] audit: type=1400 audit(1473764644.389:763840): >> apparmor="DENIED" operation="file_lock" profile="icedove" >> name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" >> denied_mask="k" fsuid=1000 ouid=1000 >> [ +1.000920] audit: type=1400 audit(1473764645.389:763841): >> apparmor="DENIED" operation="file_lock" profile="icedove" >> name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" >> denied_mask="k" fsuid=1000 ouid=1000 >> [ +1.000986] audit: type=1400 audit(1473764646.389:763842): >> apparmor="DENIED" operation="file_lock" profile="icedove" >> name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" >> denied_mask="k" fsuid=1000 ouid=1000 >> [ +1.000920] audit: type=1400 audit(1473764647.389:763843): >> apparmor="DENIED" operation="file_lock" profile="icedove" >> name="/var/mail/infinity0" pid=25709 comm="icedove" requested_mask="k" >> denied_mask="k" fsuid=1000 ouid=1000 >> >> Furthermore the icedove/thunderbird error message contains very dangerous >> advice: >> >> "Unable to create lock file /var/spool/mail/infinity0.lock. For movemail to >> work, it is necessary to create lock files in the mail spool directory. On >> many systems, this is best accomplished by making the spool directory be >> mode 01777." >> >> Setting it to 01777 would allow anyone to delete everyone's mail. >> >> Instead, a better fix is: >> >> /etc/apparmor.d/usr.bin.icedove: >> # system emails >> - owner /var/mail/* rw, >> + owner /var/mail/* rwlk, >> >> then `service apparmor reload` and restart icedove > > Simon, what's the thoughts about this change from you? > > We already had one report about this (similar?) issue: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833184
There were 2 commits that went in for bug 833184. The first allowed "rw" and shipped with 45.2.0-3. The second commit added the locking permissions and went upstream in [1]. The later commit is what's missing from Icedove's package. Carsten, if you could re-sync with the Thunderbird profile from git, it should work. Thanks Regards, Simon 1: https://git.launchpad.net/apparmor-profiles/commit/?id=f8ed397c22306dc89559bcb83dfc760400f76543
