Robie, thank you for taking a look at it. In this case, the user is impacted by noisy logs, since the dovecot profile is in complain mode. That means that AppArmor does not block actions, it only logs them, so that's probably the reason we are not getting more users reporting this.
I believe you are correct, perhaps an SRU is not worth it here, not because the user can modify the policy, but because dovecot functionality is not being affected. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1703821 Title: Dovecot and Apparmor complains at operation file_inherit Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Expired Status in dovecot package in Ubuntu: Fix Released Status in apparmor source package in Bionic: Incomplete Status in dovecot source package in Bionic: Fix Released Bug description: [Impact] Users report that while running dovecot there are some issues reported by AppArmor, specifically regarding "file_inherit" operations: Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot" Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil" This is likely caused by an anonymous socket communication channel between dovecot and anvil. A fix in the dovecot AppArmor policy was already merged upstream in commit 1ce8cd21, which is being backported in this SRU. There was a change upstream that renamed the dovecot profile, so it was necessary to make a small change on the backport to reference the correct profile name. [Test Plan] Clone the qa-regression-testing repo https://git.launchpad.net/qa-regression-testing Setup the machine according to the instructions in the README.multipurpose-vm - specifically the Email section. Run the dovecot tests from the qa-regression-testing repo: python3 ./script test-dovecot.py After running the tests, check dmesg for no DENIED messages: dmesg | grep DENIED [Where problems could occur] This update broadens the dovecot policy, so it won't to cause any issues regarding a behavior that was previously allowed and it is now denied. In addition, the dovecot policy is already in complain mode in bionic. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
