[apparmor] [patch] dovecot profile: allow capability sys_resource
Christian Boltz
apparmor at cboltz.de
Tue Nov 29 12:49:05 UTC 2016
Hello,
On servers with not too much memory ("only" 16 GB), dovecot logins fail:
Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied
Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs
Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure)
audit.log messages are:
... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24 capname="sys_resource"
... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456
After allowing capability sys_resource, dovecot can increase the limit
and works again.
I propose this patch for trunk, 2.10 and 2.9
[ dovecot-cap-sys_resource.diff ]
=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot 2014-12-22 16:49:28 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot 2016-11-29 11:46:32 +0000
@@ -28,6 +28,7 @@
capability net_bind_service,
capability setuid,
capability sys_chroot,
+ capability sys_resource,
/etc/dovecot/** r,
/etc/mtab r,
Regards,
Christian Boltz
--
> Jo, klar. Das ist "chirurgisch".
Kettensäge oder Skalpell, das ist hier die Frage.
[> Ralf Hildebrandt und Peer Heinlein in postfixbuch-users]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161129/689e61b5/attachment.pgp>
More information about the AppArmor
mailing list