Thanks for the report!
I commited the updated profile to bzr trunk r3651, 2.10 branch r3391 and
2.9 branch r3056.
If you want to update your profile locally, the needed changes are:
-/usr/lib/dovecot/dovecot-lda {
+/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
+ /run/dovecot/auth-userdb rw,
+ /usr/share/dovecot/protocols.d/ r,
** Also affects: apparmor
Importance: Undecided
Status: New
** Also affects: apparmor/2.9
Importance: Undecided
Status: New
** Also affects: apparmor/2.10
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => Fix Committed
** Changed in: apparmor
Milestone: None => 2.11.1
** Changed in: apparmor/2.10
Status: New => Fix Committed
** Changed in: apparmor/2.10
Milestone: None => 2.10.3
** Changed in: apparmor/2.9
Status: New => Fix Committed
** Changed in: apparmor/2.9
Milestone: None => 2.9.5
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1650827
Title:
"Failed name lookup - disconnected path"
Status in AppArmor:
Fix Committed
Status in AppArmor 2.10 series:
Fix Committed
Status in AppArmor 2.9 series:
Fix Committed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
Hi,
I'm currently trying to use dovecot in a test scenario, but run into
the problem of a strange malfunction of apparmor.
What I do:
installed packages dovecot-core and dovecot-lmtp
(and of course apparmor)
Then I do (as root)
/usr/lib/dovecot/dovecot-lda -d hadmut <<ENDE
Subject: test
blabla
ENDE
which fails. strace shows:
14353 connect(6, {sa_family=AF_LOCAL, sun_path="/var/run/dovecot/config"},
110) = -1 EACCES (Permission denied)
...
14353 connect(7, {sa_family=AF_LOCAL, sun_path="/var/run/dovecot/auth-
userdb"}, 110) = -1 EACCES (Permission denied)
although file permissions are good, unix sockets exist and daemons are
listening.
/var/log/kern.log says
Dec 18 01:09:45 monstrum kernel: [34849.052767] audit: type=1400
audit(1482019785.088:143): apparmor="ALLOWED" operation="connect" info="Failed
name lookup - disconnected path" error=-13
profile="/usr/lib/dovecot/dovecot-lda" name="run/dovecot/config" pid=15664
comm="dovecot-lda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Dec 18 01:09:45 monstrum kernel: [34849.055652] audit: type=1400
audit(1482019785.092:144): apparmor="ALLOWED" operation="open"
profile="/usr/lib/dovecot/dovecot-lda" name="/usr/share/dovecot/protocols.d/"
pid=15664 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 18 01:09:45 monstrum kernel: [34849.065203] audit: type=1400
audit(1482019785.100:145): apparmor="ALLOWED" operation="connect" info="Failed
name lookup - disconnected path" error=-13
profile="/usr/lib/dovecot/dovecot-lda" name="run/dovecot/auth-userdb" pid=15664
comm="dovecot-lda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=134
which strangely says ALLOWED, but error=-13 as well,
and that even if dovecot-lda is in complain mode.
But when I put it into disable mode with
aa-disable /usr/lib/dovecot/dovecot-lda
then things work.
So
- it is definitely apparmor related, since aa-disable turns the problem off,
- it looks like a bug since aa-complain should never block anything,
- an ALLOWED-log should not blog
- there's an error=-13
regards
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor-profiles 2.10.95-0ubuntu2.5
ProcVersionSignature: Ubuntu 4.4.0-53.74-generic 4.4.30
Uname: Linux 4.4.0-53-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.2
Architecture: amd64
CurrentDesktop: LXDE
Date: Sun Dec 18 01:06:15 2016
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.4.0-53-generic
root=UUID=3e286927-f1b6-4954-8b0d-7cf23484309f ro rootflags=subvol=@ splash
quiet vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to xenial on 2016-04-06 (255 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1650827/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
