[Bug 1652131] [NEW] Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot

Nathaniel Homier 1652131 at bugs.launchpad.net
Thu Dec 22 18:27:26 UTC 2016 

Public bug reported:

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.10
Release:	16.10
Codename:	yakkety

Installing Postfix and Dovecot and setting them up as explained at
https://help.ubuntu.com/lts/serverguide/postfix.html

Then setting all apparmor profiles including Postfix and Dovecot to
enforce mode.

Postfix fails to send a TLS protected email because Dovecot can't
connect to /var/spool/postfix/auth/private because when Dovecot's
apparmor profile is set to enforce mode, apparmor denies Dovecot access
to /var/spool/postfix/auth/private.

Syslog
apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth"
name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w"
denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/lib/dovecot/log"
name="run/systemd/journal/dev-log" pid=8093 comm="log"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/lib/dovecot/log"
name="run/systemd/journal/dev-log" pid=8093 comm="log"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0

apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth"
name="/var/spool/postfix/private/auth" pid=8251 comm="auth"
requested_mask="w" denied_mask="w" fsuid=129 ouid=130

apparmor="DENIED" operation="file_perm" profile="/usr/lib/dovecot/auth"
name="/var/spool/postfix/private/auth" pid=8251 comm="auth"
requested_mask="w" denied_mask="w" fsuid=129 ouid=130

Dec 22 10:38:20 frontier postfix/master[1516]: warning: process
/usr/lib/postfix/sbin/smtpd pid 8248 exit status 1

** Affects: dpkg (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apparmor dovecot mta postfix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1652131

Title:
  Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks
  access to /var/spool/private/auth for Dovecot

Status in dpkg package in Ubuntu:
  New

Bug description:
  lsb_release -a
  No LSB modules are available.
  Distributor ID:	Ubuntu
  Description:	Ubuntu 16.10
  Release:	16.10
  Codename:	yakkety

  Installing Postfix and Dovecot and setting them up as explained at
  https://help.ubuntu.com/lts/serverguide/postfix.html

  Then setting all apparmor profiles including Postfix and Dovecot to
  enforce mode.

  Postfix fails to send a TLS protected email because Dovecot can't
  connect to /var/spool/postfix/auth/private because when Dovecot's
  apparmor profile is set to enforce mode, apparmor denies Dovecot
  access to /var/spool/postfix/auth/private.

  Syslog
  apparmor="DENIED" operation="connect" profile="/usr/lib/dovecot/auth" name="/run/dovecot/anvil-auth-penalty" pid=8251 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

  apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth"
  name="/run/dovecot/stats-user" pid=8251 comm="auth" requested_mask="w"
  denied_mask="w" fsuid=0 ouid=0

  apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
  disconnected path" error=-13 profile="/usr/lib/dovecot/log"
  name="run/systemd/journal/dev-log" pid=8093 comm="log"
  requested_mask="w" denied_mask="w" fsuid=0 ouid=0

  apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
  disconnected path" error=-13 profile="/usr/lib/dovecot/log"
  name="run/systemd/journal/dev-log" pid=8093 comm="log"
  requested_mask="w" denied_mask="w" fsuid=0 ouid=0

  apparmor="DENIED" operation="file_perm"
  profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth"
  pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129
  ouid=130

  apparmor="DENIED" operation="file_perm"
  profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/private/auth"
  pid=8251 comm="auth" requested_mask="w" denied_mask="w" fsuid=129
  ouid=130

  Dec 22 10:38:20 frontier postfix/master[1516]: warning: process
  /usr/lib/postfix/sbin/smtpd pid 8248 exit status 1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1652131/+subscriptions

More information about the foundations-bugs mailing list