I have attached a debdiff for AppArmor containing the upstream fix.
** Description changed:
- My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0). Apparmor
- is still complaining about problems with file_inherit. I have put the
- profiles in complain-only mode, so I can continue, but still, it's a
- problem.
+ [Impact]
+
+ Users report that while running dovecot there are some issues reported
+ by AppArmor, specifically regarding "file_inherit" operations:
Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/sbin/dovecot"
Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/lib/dovecot/anvil"
- My configuration of Dovecot has changed slightly:
+ This is likely caused by an anonymous socket communication channel
+ between dovecot and anvil.
- /etc/dovecot/dovecot-sql.conf.ext
- driver = mysql
- connect = host=localhost dbname=mail user=mail password=mailpassword
- default_pass_scheme = MD5-CRYPT
- password_query = ...
- user_query = ...
+ A fix in the dovecot AppArmor policy was already merged upstream
+ in commit 1ce8cd21, which is being backported in this SRU.
+ There was a change upstream that renamed the dovecot profile, so it was
+ necessary to make a small change on the backport to reference the
+ correct profile name.
- /etc/dovecot/conf.d/10-auth.conf
- disable_plaintext_auth = yes
- auth_mechanisms = plain login
- #!include auth-system.conf.ext
- !include auth-sql.conf.ext
+ [Test Plan]
- /etc/dovecot/conf.d/10-mail.conf
- mail_location = maildir:/var/vmail/%d/%n
- mail_uid = vmail
- mail_gid = mail
- first_valid_uid = 150
- last_valid_uid = 150
+ The bug can be reproduced by setting up a multi-purpose VM according
+ to the README file on QRT, and then running the QRT dovecot tests.
- /etc/dovecot/conf.d/10-ssl.conf
- ssl = required
- ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
- ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
- ssl_dh_parameters_length = 4096
- ssl_protocols = ...
- ssl_cipher_list = ...
- ssl_prefer_server_ciphers = yes
+ [Where problems could occur]
- /etc/dovecot/conf.d/10-master.conf
- service auth {
- unix_listener auth-userdb {
- mode = 0666
- user = vmail
- group = mail
- }
- unix_listener /var/spool/postfix/private/auth {
- mode = 0666
- user = postfix
- group = postfix
- }
- }
-
- /etc/dovecot/conf.d/15-lda.conf
- postmaster_address = ...
-
-
- Apparmor usr.sbin.dovecot profile:
-
- #include <tunables/global>
-
- /usr/sbin/dovecot flags=(complain,attach_disconnected) {
- #include <abstractions/authentication>
- #include <abstractions/base>
- #include <abstractions/dovecot-common>
- #include <abstractions/mysql>
- #include <abstractions/nameservice>
- #include <abstractions/ssl_certs>
- #include <abstractions/ssl_keys>
-
- capability chown,
- capability dac_override,
- capability fsetid,
- capability kill,
- capability net_bind_service,
- capability setuid,
- capability sys_chroot,
- capability sys_resource,
-
- /etc/dovecot/** r,
- /etc/mtab r,
- /etc/lsb-release r,
- /etc/SuSE-release r,
- @{PROC}/@{pid}/mounts r,
- /usr/bin/doveconf rix,
- /usr/lib/dovecot/anvil Px,
- /usr/lib/dovecot/auth Px,
- /usr/lib/dovecot/config Px,
- /usr/lib/dovecot/dict Px,
- /usr/lib/dovecot/dovecot-auth Pxmr,
- /usr/lib/dovecot/imap Pxmr,
- /usr/lib/dovecot/imap-login Pxmr,
- /usr/lib/dovecot/lmtp Px,
- /usr/lib/dovecot/log Px,
- /usr/lib/dovecot/managesieve Px,
- /usr/lib/dovecot/managesieve-login Pxmr,
- /usr/lib/dovecot/pop3 Px,
- /usr/lib/dovecot/pop3-login Pxmr,
- /usr/lib/dovecot/ssl-build-param rix,
- /usr/lib/dovecot/ssl-params Px,
- /usr/sbin/dovecot mrix,
- /usr/share/dovecot/protocols.d/ r,
- /usr/share/dovecot/protocols.d/** r,
- /var/lib/dovecot/ w,
- /var/lib/dovecot/* rwkl,
- /var/spool/postfix/private/auth w,
- /var/spool/postfix/private/dovecot-lmtp w,
- /{,var/}run/dovecot/ rw,
- /{,var/}run/dovecot/** rw,
- link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
-
- # Site-specific additions and overrides. See local/README for details.
- #include <local/usr.sbin.dovecot>
- }
-
- Profile usr.lib.dovecot.anvil:
-
- #include <tunables/global>
-
- /usr/lib/dovecot/anvil flags=(complain) {
- #include <abstractions/base>
- #include <abstractions/dovecot-common>
-
- capability setuid,
- capability sys_chroot,
-
- /usr/lib/dovecot/anvil mr,
-
- # Site-specific additions and overrides. See local/README for details.
- #include <local/usr.lib.dovecot.anvil>
- }
+ This update broadens the dovecot policy, so it won't to cause any
+ issues regarding a behavior that was previously allowed and it is now
+ denied.
+ In addition, the dovecot policy is already in complain mode in
+ bionic.
** Patch added: "apparmor_2.12-4ubuntu5.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1703821/+attachment/5606306/+files/apparmor_2.12-4ubuntu5.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821
Title:
Dovecot and Apparmor complains at operation file_inherit
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Expired
Status in dovecot package in Ubuntu:
Fix Released
Status in apparmor source package in Bionic:
New
Status in dovecot source package in Bionic:
Fix Released
Bug description:
[Impact]
Users report that while running dovecot there are some issues reported
by AppArmor, specifically regarding "file_inherit" operations:
Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/sbin/dovecot"
Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/lib/dovecot/anvil"
This is likely caused by an anonymous socket communication channel
between dovecot and anvil.
A fix in the dovecot AppArmor policy was already merged upstream
in commit 1ce8cd21, which is being backported in this SRU.
There was a change upstream that renamed the dovecot profile, so it was
necessary to make a small change on the backport to reference the
correct profile name.
[Test Plan]
The bug can be reproduced by setting up a multi-purpose VM according
to the README file on QRT, and then running the QRT dovecot tests.
[Where problems could occur]
This update broadens the dovecot policy, so it won't to cause any
issues regarding a behavior that was previously allowed and it is now
denied.
In addition, the dovecot policy is already in complain mode in
bionic.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
