[Touch-packages] [Bug 482080] Re: Dovecot's apparmor profile breaks dovecot-antispam
I'd even recommend to restrict it a bit more: owner /tmp/antispam-mail*/ rw, owner /tmp/antispam-mail*/* rwkl, sendmail might be a candidate for a child profile. Such a (maybe too generous) profile already exists in the dovecot-lda profile, so cleaning it up and removing permissions that are not needed for "just" sending a mail might be a good idea. I won't object if you provide a generic sendmail profile that we can Px into (feel free to use the child profile in dovecot-lda as a base), but that needs much more testing before shipping and enforcing it in the default setup. ** Also affects: apparmor Importance: Undecided Status: New ** Tags added: aa-policy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/482080 Title: Dovecot's apparmor profile breaks dovecot-antispam Status in AppArmor: New Status in apparmor package in Ubuntu: New Status in dovecot-antispam package in Ubuntu: Confirmed Bug description: Binary package hint: dovecot-antispam On my Ubuntu 9.10 ; with the following versions of the packages installed : dovecot-antispam : 1.1+20090218.git.g28075fa-2 apparmor-profiles : 2.3.1+1403-0ubuntu27.1 The antispam plugins tries to use folders in /tmp/ (like "/tmp/antispam-mail-QXCQTR/" ) as a temporary storage zone. But it is prevented from doing so by apparmor | dmesg |tail | [553173.563468] type=1502 audit(1258103977.311:86928): operation="mkdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/" | [553173.563884] type=1502 audit(1258103977.311:86929): operation="rmdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/" | [...] To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/482080/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 482080] Re: Dovecot's apparmor profile breaks dovecot-antispam
Would be profiles/apparmor.d/usr.lib.dovecot.imap in the apparmor package. But after all the time we might need a check if things still apply. Also might in a different setup the same entries might be needed in usr.lib.dovecot.pop3 or such. And in that case maybe rather abstractions/dovecot-common? And finally I don't know if owner /tmp/** rwkl, Is too open? Looking at the logs maybe rather: owner /tmp/antispam-mail** rwkl, -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/482080 Title: Dovecot's apparmor profile breaks dovecot-antispam Status in apparmor package in Ubuntu: New Status in dovecot-antispam package in Ubuntu: Confirmed Bug description: Binary package hint: dovecot-antispam On my Ubuntu 9.10 ; with the following versions of the packages installed : dovecot-antispam : 1.1+20090218.git.g28075fa-2 apparmor-profiles : 2.3.1+1403-0ubuntu27.1 The antispam plugins tries to use folders in /tmp/ (like "/tmp/antispam-mail-QXCQTR/" ) as a temporary storage zone. But it is prevented from doing so by apparmor | dmesg |tail | [553173.563468] type=1502 audit(1258103977.311:86928): operation="mkdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/" | [553173.563884] type=1502 audit(1258103977.311:86929): operation="rmdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/" | [...] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/482080/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 482080] Re: Dovecot's apparmor profile breaks dovecot-antispam
While working on the minor merge for Dovecot I realized that this profile is in fact part of apparmor profiles :-/ So I flagged wrong last November - adding apparmor now. ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** No longer affects: dovecot (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/482080 Title: Dovecot's apparmor profile breaks dovecot-antispam Status in apparmor package in Ubuntu: New Status in dovecot-antispam package in Ubuntu: Confirmed Bug description: Binary package hint: dovecot-antispam On my Ubuntu 9.10 ; with the following versions of the packages installed : dovecot-antispam : 1.1+20090218.git.g28075fa-2 apparmor-profiles : 2.3.1+1403-0ubuntu27.1 The antispam plugins tries to use folders in /tmp/ (like "/tmp/antispam-mail-QXCQTR/" ) as a temporary storage zone. But it is prevented from doing so by apparmor | dmesg |tail | [553173.563468] type=1502 audit(1258103977.311:86928): operation="mkdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/" | [553173.563884] type=1502 audit(1258103977.311:86929): operation="rmdir" pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/" | [...] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/482080/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
