[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in AppArmor: Fix Released Status in AppArmor 2.10 series: Fix Released Status in AppArmor 2.9 series: Fix Released Status in apparmor package in Ubuntu: Confirmed Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released ** Changed in: apparmor/2.9 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in AppArmor: Fix Released Status in AppArmor 2.10 series: Fix Released Status in AppArmor 2.9 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
Fixed in upstream AppArmor bzr - trunk r3607, 2.10 branch r3376 and 2.9 branch r3042. ** Changed in: apparmor Status: New => Fix Committed ** Changed in: apparmor Milestone: None => 2.11 ** Also affects: apparmor/2.9 Importance: Undecided Status: New ** Also affects: apparmor/2.10 Importance: Undecided Status: New ** Changed in: apparmor/2.10 Status: New => Fix Committed ** Changed in: apparmor/2.10 Milestone: None => 2.10.2 ** Changed in: apparmor/2.9 Status: New => Fix Committed ** Changed in: apparmor/2.9 Milestone: None => 2.9.4 ** Changed in: apparmor/2.10 Assignee: (unassigned) => Christian Boltz (cboltz) ** Changed in: apparmor/2.9 Assignee: (unassigned) => Christian Boltz (cboltz) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" denied_mask="w" That's already covered by the latest upstream profile. profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" denied_mask="wr" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" denied_mask="w" That translates to: /{var/,}run/dovecot/anvil-auth-penalty rw, /var/spool/postfix/private/auth w, info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" You'll need to add flags=(attach_disconnected) to the dovecot/log profile. Patch sent to upstream mailinglist for review. ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Assignee: (unassigned) => Christian Boltz (cboltz) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot
Launchpad acting weird. Won't select the right package which is apparmor. ** Package changed: dpkg (Ubuntu) => apparmor (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1652131 Title: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot Status in apparmor package in Ubuntu: New Bug description: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Installing Postfix and Dovecot and setting them up as explained at https://help.ubuntu.com/lts/serverguide/postfix.html Then setting all apparmor profiles including Postfix and Dovecot to enforce mode. Postfix fails to send a TLS protected email because Dovecot can't connect to /var/spool/postfix/auth/private because when Dovecot's apparmor profile is set to enforce mode, apparmor denies Dovecot access to /var/spool/postfix/auth/private. Syslog apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/log" name="run/systemd/journal/dev-log" pid=8093 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth" pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129 ouid=130 Dec 22 10:38:20 frontier postfix/master[1516]: warning: process /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp