** Description changed: [Impact] Users report that while running dovecot there are some issues reported by AppArmor, specifically regarding "file_inherit" operations: Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot" Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil" This is likely caused by an anonymous socket communication channel between dovecot and anvil. A fix in the dovecot AppArmor policy was already merged upstream in commit 1ce8cd21, which is being backported in this SRU. There was a change upstream that renamed the dovecot profile, so it was necessary to make a small change on the backport to reference the correct profile name. [Test Plan] - The bug can be reproduced by setting up a multi-purpose VM according - to the README file on QRT, and then running the QRT dovecot tests. + Clone the qa-regression-testing repo + https://git.launchpad.net/qa-regression-testing + Setup the machine according to the instructions in the README.multipurpose-vm - specifically the Email section. + + Run the dovecot tests from the qa-regression-testing repo: + python3 ./script test-dovecot.py + + After running the tests, check dmesg for no DENIED messages: + dmesg | grep DENIED [Where problems could occur] This update broadens the dovecot policy, so it won't to cause any issues regarding a behavior that was previously allowed and it is now denied. In addition, the dovecot policy is already in complain mode in bionic.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1703821 Title: Dovecot and Apparmor complains at operation file_inherit Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Expired Status in dovecot package in Ubuntu: Fix Released Status in apparmor source package in Bionic: New Status in dovecot source package in Bionic: Fix Released Bug description: [Impact] Users report that while running dovecot there are some issues reported by AppArmor, specifically regarding "file_inherit" operations: Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot" Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil" This is likely caused by an anonymous socket communication channel between dovecot and anvil. A fix in the dovecot AppArmor policy was already merged upstream in commit 1ce8cd21, which is being backported in this SRU. There was a change upstream that renamed the dovecot profile, so it was necessary to make a small change on the backport to reference the correct profile name. [Test Plan] Clone the qa-regression-testing repo https://git.launchpad.net/qa-regression-testing Setup the machine according to the instructions in the README.multipurpose-vm - specifically the Email section. Run the dovecot tests from the qa-regression-testing repo: python3 ./script test-dovecot.py After running the tests, check dmesg for no DENIED messages: dmesg | grep DENIED [Where problems could occur] This update broadens the dovecot policy, so it won't to cause any issues regarding a behavior that was previously allowed and it is now denied. In addition, the dovecot policy is already in complain mode in bionic. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
