similar to commit 2f9d172c64
we discovered that there was a service outage
when dovecot tried to send a usr1 signal
type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/865
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 83685ba703)
f0919f83 Allow dovecot to use all signals
Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```
This results in fatal error:
```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```
Add rule to allow reading dh.pem.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 9d8e111abe)
Signed-off-by: John Johansen <john.johansen@canonical.com>
misc dovecot fixes (take #2)
See merge request apparmor/apparmor!336
Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10
(cherry picked from commit e68beb988a)
a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil
d0aa863f dovecot: allow chroot'ing the auth processes
9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket
17db8f38 dovecot: auth processes need to read from postfix auth socket
6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
Add profile names to all profiles with {bin,sbin} attachment
See merge request apparmor/apparmor!242
Acked-by: intrigeri <intrigeri@debian.org>
(cherry picked from commit fd68a5eb64)
b77116e6 Add profile names to all profiles with {bin,sbin} attachment
Some of the /usr/lib/dovecot/* rules already have mrPx permissions,
while others don't.
With a more recent kernel, I noticed that at least auth, config, dict,
lmtp, pop3 and ssl-params need mrPx instead of just Px (confirmed by the
audit.log and actual breakage caused by the missing mr permissions).
The mr additions for anvil, log and managesieve are just a wild guess,
but I would be very surprised if they don't need mr.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
On servers with not too much memory ("only" 16 GB), dovecot logins fail:
Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied
Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs
Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure)
audit.log messages are:
... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24 capname="sys_resource"
... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456
After allowing capability sys_resource, dovecot can increase the limit
and works again.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
Adds #include <abstractions/dovecot-common> to the usr.sbin.dovecot
profile. Effectively this adds "deny capability block_suspend," which
is the only missing part from
https://bugs.launchpad.net/apparmor/+bug/1296667/
It also removes "capability setgid," (covered by
abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of
abstractions/base).
Acked-by: John Johansen <john.johansen@canonical.com>
after testing the dovecot profiles on a new server, I noticed
/usr/sbin/dovecot needs some more permissions:
- mysql access
- execution permissions for /usr/lib/dovecot/dict and lmtp
- write access to some postfix sockets, used to
- provide SMTP Auth via dovecot
- deliver mails to dovecot via LMTP
- and read access to /proc/filesystems
Acked-by: John Johansen <john.johansen@canonical.com>
The usr.sbin.dovecot profile needs several updates for dovecot 2.x,
including
- capability dac_override and kill
- Px for various binaries in /usr/lib/dovecot/
The patch also adds a nice copyright header (I hope I got the bzr log
right ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
- allow /var/spool/mail, not only the /var/mail symlink
- allow @{HOME}/Mail/
- allow capability fsetid, read access to /etc/lsb-release and
SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
References:
- dovecot: Added support for /var/spool/mail (bnc#691072)
- Updated dovecot profile (bnc#681267).
Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
updated to match trunk by Christian Boltz <apparmor@cboltz.de>
Change compared to the patch posted to the ML:
- link rule instead of adding l permissions for /var/lib/dovecot and
/var/run/dovecot (as proposed by John Johansen)
Acked-By: John Johansen <john.johansen@canonical.com> on IRC
- add profiles/local/README
- adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/
- adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace
and svn conventions
