[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in AppArmor: Fix Released Status in AppArmor 2.10 series: Fix Released Status in AppArmor 2.9 series: Fix Released Status in apparmor package in Ubuntu: Confirmed Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released ** Changed in: apparmor/2.9 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in AppArmor: Fix Released Status in AppArmor 2.10 series: Fix Released Status in AppArmor 2.9 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
Fixed in upstream AppArmor bzr - trunk r3607, 2.10 branch r3376 and 2.9 branch r3042. ** Changed in: apparmor Status: New => Fix Committed ** Changed in: apparmor Milestone: None => 2.11 ** Also affects: apparmor/2.9 Importance: Undecided Status: New ** Also affects: apparmor/2.10 Importance: Undecided Status: New ** Changed in: apparmor/2.10 Status: New => Fix Committed ** Changed in: apparmor/2.10 Milestone: None => 2.10.2 ** Changed in: apparmor/2.9 Status: New => Fix Committed ** Changed in: apparmor/2.9 Milestone: None => 2.9.4 ** Changed in: apparmor/2.10 Assignee: (unassigned) => Christian Boltz (cboltz) ** Changed in: apparmor/2.9 Assignee: (unassigned) => Christian Boltz (cboltz) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user"
denied_mask="w"
That's already covered by the latest upstream profile.
profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty"
denied_mask="wr"
profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth"
denied_mask="w"
That translates to:
/{var/,}run/dovecot/anvil-auth-penalty rw,
/var/spool/postfix/private/auth w,
info="Failed name lookup - disconnected path" error=-13
profile="/usr/lib/dovecot/log"
You'll need to add flags=(attach_disconnected) to the dovecot/log
profile.
Patch sent to upstream mailinglist for review.
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Assignee: (unassigned) => Christian Boltz (cboltz)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1652131
Title:
Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks
access to /var/spool/private/auth for Dovecot
Status in AppArmor:
New
Status in apparmor package in Ubuntu:
New
Bug description:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.10
Release: 16.10
Codename: yakkety
Installing Postfix and Dovecot and setting them up as explained at
https://help.ubuntu.com/lts/serverguide/postfix.html
Then setting all apparmor profiles including Postfix and Dovecot to
enforce mode.
Postfix fails to send a TLS protected email because Dovecot can't
connect to /var/spool/postfix/auth/private because when Dovecot's
apparmor profile is set to enforce mode, apparmor denies Dovecot
access to /var/spool/postfix/auth/private.
Syslog
apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth"
name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr"
denied_mask="wr" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth"
name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w"
denied_mask="w" fsuid=0 ouid=0
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/lib/dovecot/log"
name="run/systemd/journal/dev-log" pid=8093 comm="log"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/lib/dovecot/log"
name="run/systemd/journal/dev-log" pid=8093 comm="log"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
apparmor="DENIED" operation="file_perm"
profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth"
pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129
ouid=130
apparmor="DENIED" operation="file_perm"
profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth"
pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129
ouid=130
Dec 22 10:38:20 frontier postfix/master[1516]: warning: process
/usr/lib/postfix/sbin/smtpd pid 8248 exit status 1
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1652131/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
Launchpad acting weird. Won't select the right package which is apparmor. ** Package changed: dpkg (Ubuntu) => apparmor (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in apparmor package in Ubuntu: New Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
