dovecot/apparmor: profile not found
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned |
Bug Description
[impact]
This bug prevents dovecot users from using the apparmor policies shipped
in the apparmor-profiles package without significant modifications.
[steps to reproduce]
1) install and setup dovecot and confirm that it's functioning as
expected
2) install the apparmor-profiles package
3) restart dovecot to ensure apparmor policies are being applied
4) if this bug has been addressed, dovecot should start successfully
without generating apparmor rejections
[regression potential]
The change in the patch for this bug updates the dovecot policy to
match the most recent apparmor release (2.9.2). These add missing
policies, restructure a few things to common abstractions, and grant
additional permissions. Any regressions related to this patch would
be strictly limited to the policy for dovecot.
[original description]
I'm on Ubuntu 14.04 LTS. Since last week I get these messages:
[11468.257576] type=1400 audit(139565912
[11491.128691] type=1400 audit(139565914
[11551.171186] type=1400 audit(139565921
[11551.171338] type=1400 audit(139565921
When I then start dovecot I get these in mail.log:
Mar 24 08:42:52 polly dovecot: master: Dovecot v2.2.9 starting up (core dumps disabled)
Mar 24 08:42:52 polly dovecot: master: Fatal: execv(/
Mar 24 08:42:52 polly dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secs
Mar 24 08:42:52 polly dovecot: master: Error: service(log): child 1387 returned error 84 (exec() failed)
Mar 24 08:42:52 polly dovecot: master: Error: service(log): command startup failed, throttling for 2 secs
Mar 24 08:42:52 polly dovecot: master: Error: service(
Mar 24 08:55:42 polly dovecot: master: Error: service(config): command startup failed, throttling for 2 secs
Mar 24 08:55:42 polly dovecot: master: Error: service(
I tried to purge and reinstall apparmor(-profiles) but that didn't fix this issue. I did a aa-disable dovecot and now the errors are gone.
tags: | added: aa-policy |
affects: | apparmor-profiles → apparmor |
Changed in apparmor (Ubuntu Trusty): | |
status: | New → In Progress |
importance: | Undecided → High |
I am experiencing this as well on my 14.04 LTS installation.
Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.524945] type=1400 audit(140226543 0.441:10760) : apparmor="ALLOWED" operation="connect" profile= "/usr/lib/ dovecot/ imap-login" name="/ run/dovecot/ anvil" pid=16455 comm="imap-login" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 0.549:10761) : apparmor="ALLOWED" operation="connect" profile= "/usr/lib/ dovecot/ imap" name="/ run/dovecot/ config" pid=16456 comm="imap" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 0.549:10762) : apparmor="ALLOWED" operation="connect" profile= "/usr/lib/ dovecot/ imap" name="/ run/dovecot/ auth-master" pid=16456 comm="imap" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.635272] type=1400 audit(140226543
Jun 8 22:10:30 ip-10-147-235-73 kernel: [7770896.635983] type=1400 audit(140226543
I have my imap services in 'complain' mode though, so they are not being halted. services continue to run.