touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #95347
[Bug 1296667] Re: dovecot/apparmor: profile not found
I ran dovecot-core 1:2.2.9-1ubuntu2.1 with apparmor-profiles
2.8.95~2430-0ubuntu5.3 and didn't get any errors in mail.log or
complaints from apparmor.
$ sudo aa-status
apparmor module is loaded.
49 profiles are loaded.
16 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser//sanitized_helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/rsyslogd
/usr/sbin/tcpdump
33 profiles are in complain mode.
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
/usr/lib/chromium-browser/chromium-browser//lsb_release
/usr/lib/chromium-browser/chromium-browser//xdgsettings
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/{sbin/traceroute,bin/traceroute.db}
/{usr/,}bin/ping
9 processes have profiles defined.
2 processes are in enforce mode.
/sbin/dhclient (30347)
/usr/sbin/rsyslogd (421)
7 processes are in complain mode.
/usr/lib/dovecot/anvil (23852)
/usr/lib/dovecot/config (23855)
/usr/lib/dovecot/log (23853)
/usr/sbin/avahi-daemon (594)
/usr/sbin/avahi-daemon (595)
/usr/sbin/dnsmasq (1583)
/usr/sbin/dovecot (23851)
0 processes are unconfined but have a profile defined.
** Changed in: apparmor (Ubuntu Trusty)
Status: In Progress => Fix Committed
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1296667
Title:
dovecot/apparmor: profile not found
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Trusty:
Fix Committed
Bug description:
[impact]
This bug prevents dovecot users from using the apparmor policies shipped
in the apparmor-profiles package without significant modifications.
[steps to reproduce]
1) install and setup dovecot and confirm that it's functioning as
expected
2) install the apparmor-profiles package
3) restart dovecot to ensure apparmor policies are being applied
4) if this bug has been addressed, dovecot should start successfully
without generating apparmor rejections
[regression potential]
The change in the patch for this bug updates the dovecot policy to
match the most recent apparmor release (2.9.2). These add missing
policies, restructure a few things to common abstractions, and grant
additional permissions. Any regressions related to this patch would
be strictly limited to the policy for dovecot.
[original description]
I'm on Ubuntu 14.04 LTS. Since last week I get these messages:
[11468.257576] type=1400 audit(1395659127.103:38560): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap-login" name="/run/dovecot/config" pid=30971 comm="imap-login" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
[11491.128691] type=1400 audit(1395659149.988:38616): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/auth" pid=30978 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[11551.171186] type=1400 audit(1395659210.056:38853): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/dovecot" pid=31620 comm="dovecot" capability=36 capname="block_suspend"
[11551.171338] type=1400 audit(1395659210.056:38854): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/auth" pid=31630 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
When I then start dovecot I get these in mail.log:
Mar 24 08:42:52 polly dovecot: master: Dovecot v2.2.9 starting up (core dumps disabled)
Mar 24 08:42:52 polly dovecot: master: Fatal: execv(/usr/lib/dovecot/log) failed: No such file or directory
Mar 24 08:42:52 polly dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secs
Mar 24 08:42:52 polly dovecot: master: Error: service(log): child 1387 returned error 84 (exec() failed)
Mar 24 08:42:52 polly dovecot: master: Error: service(log): command startup failed, throttling for 2 secs
Mar 24 08:42:52 polly dovecot: master: Error: service(ssl-params): command startup failed, throttling for 2 secs
Mar 24 08:55:42 polly dovecot: master: Error: service(config): command startup failed, throttling for 2 secs
Mar 24 08:55:42 polly dovecot: master: Error: service(imap-login): command startup failed, throttling for 2 secs
I tried to purge and reinstall apparmor(-profiles) but that didn't fix
this issue. I did a aa-disable dovecot and now the errors are gone.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1296667/+subscriptions
