Bug 1087753 - Dovecot fails to start, complaining "Can't open log file /var/log/dovecot.log: Permission denied"
Dovecot fails to start, complaining "Can't open log file /var/log/dovecot.log...
Status: NEW
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: AppArmor
Current
Other Other
: P5 - None : Major (vote)
: ---
Assigned To: Christian Boltz
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-02 12:42 UTC by Tristan Miller
Modified: 2022-04-29 23:03 UTC (History)
10 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tristan Miller 2018-04-02 12:42:03 UTC
After upgrading from Tumbleweed 20180308 to Tumbleweed 20180331 today, the Dovecot service now refuses to start.  The error message is "Can't open log file /var/log/dovecot.log: Permission denied".  I tried twiddling the permissions on that file, but no luck.

On account of Bug 1069470 and a similar problem report at <https://serverfault.com/questions/903204/dovecot-cant-open-log-after-upgrade> I suspect this may be a problem with AppArmor.
Comment 1 Christian Boltz 2018-04-02 14:34:14 UTC
The Dovecot AppArmor profile indeed assumes that Dovecot uses syslog for logging.

Can you please paste the relevant lines from /var/log/audit/audit.log or, if in doubt, attach the whole file?

Also, did you specify /var/log/dovecot.log in your dovecot config, or is this part of the default config now?
Comment 2 Luis Henriques 2018-04-02 15:56:37 UTC
I'm seeing a similar error, which may or may not be the same issue.  Here's what I'm seeing in dovecot log:

auth: Error: stats: open(old-stats-user) failed: Permission deniedauth-worker(11225): Error: stats: open(old-stats-user) failed: Permission denied
imap-login: Login: user=<....... (REMOVED)
master: Fatal: execv(/usr/lib/dovecot/stats) failed: Permission denied
master: Error: service(stats): command startup failed, throttling for 2 secs
stats: Fatal: master: service(stats): child 11227 returned error 84 (exec() failed)
master: Fatal: execv(/usr/lib/dovecot/stats) failed: Permission denied
master: Error: service(stats): command startup failed, throttling for 4 secs
stats: Fatal: master: service(stats): child 11232 returned error 84 (exec() failed)

audit.log file also contains relevant info I believe:

type=AVC msg=audit(1522684292.164:370): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/old-stats-user" pid=11224 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
type=AVC msg=audit(1522684292.268:371): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/auth" name="/run/dovecot/old-stats-user" pid=11225 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
...
type=AVC msg=audit(1522684292.280:374): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=11227 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1522684302.288:375): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=11232 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
...
type=AVC msg=audit(1522684312.296:378): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=11237 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1522684322.308:379): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=11240 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1522684338.328:380): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=11242 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1522684370.348:381): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=11252 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1522684430.412:382): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=11263 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1522684490.472:383): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=11268 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Comment 3 Tristan Miller 2018-04-03 09:24:02 UTC
(In reply to Christian Boltz from comment #1)
> The Dovecot AppArmor profile indeed assumes that Dovecot uses syslog for
> logging.

I suppose this is a recent (and unannounced?) change.

> Can you please paste the relevant lines from /var/log/audit/audit.log or, if
> in doubt, attach the whole file?

type=AVC msg=audit(1522747195.548:1944): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/dovecot" name="/var/log/dovecot.log" pid=7033 comm="dovecot" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
type=AVC msg=audit(1522747195.548:1945): apparmor="ALLOWED" operation="open" profile="/usr/sbin/dovecot" name="/var/log/dovecot.log" pid=7033 comm="dovecot" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=465
type=AVC msg=audit(1522747195.552:1946): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/dovecot" name="/var/log/dovecot.log" pid=7033 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=465
type=AVC msg=audit(1522747195.556:1947): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/log" pid=7036 comm="log" capability=1  capname="dac_override"

> Also, did you specify /var/log/dovecot.log in your dovecot config, or is
> this part of the default config now?

It's specified in /etc/dovecot/dovecot.conf.  I don't know if it's part of the default config.  Very likely I was the one that put it there back when I first installed Dovecot a year or two ago.

I can live with using syslog for logging, so for me the solution is to simply uncomment the log_path setting from dovecot.conf.
Comment 4 Christian Boltz 2018-04-05 19:11:33 UTC
So we have 3 different issues in this bugreport:

* starting /usr/lib/dovecot/stats - let's handle this in bug 1088161 please
  to avoid mixing up several issues in one bugreport

* writing dovecot.log by /usr/sbin/dovecot
  The package maintainer just told me that the packaged default is still to
  use syslog, so this is likely something you changed locally. Anyway -
  please add the following line to /etc/apparmor.d/local/usr.sbin.dovecot:
      /var/log/dovecot.log a,
  Then run   rcapparmor reload   and try again. (Obviously you'll have to
  re-enable log_path in the dovecot config.)
  I'm not sure if a is enough, the last log line indicates w may be needed
  (which would be bad because "a" allows append only and "w" full write access
  including changes to the existing logfile)

* /usr/lib/dovecot/auth writing to /run/dovecot/old-stats-user - please add
      /run/dovecot/old-stats-user w,
  to /etc/apparmor.d/local/usr.lib.dovecot.auth, run   rcapparmor reload and
  check again.
Comment 5 Shad Sterling 2018-04-10 00:46:56 UTC
That's my question on serverfault.  In my case, logging to syslog doesn't work, and (naturally?) doesn't log any errors.  Logging to `/var/log/dovecot` was the default when I started using dovecot (a rather long time ago); if you're going to prohibit using the former default, you should update dovecot so I'll see an `/etc/dovecot/conf.d/10-logging.conf.rpmnew` with a comment along the lines of

> ## Logging anywhere but syslog is now prohibited by the default apparmor profile.
> ## You can customize the apparmor profile by editing /etc/apparmor.d/local/usr.sbin.dovecot

Even better if you have the necessary line as a comment in that file.  For my system the necessary line is

>     /var/log/dovecot w,
Comment 6 Shad Sterling 2018-04-10 16:35:55 UTC
Actually, that last comment is completely wrong; it seemed to be working at first, but actually was not.  After spending a few hours iterating on `/var/log/audit/audit.log` and editing several files in `/etc/apparmor.d/local`, it seems to be back to working.

In `usr.lib.dovecot.config`:

>    /var/lib/dovecot/ssl-parameters.dat r,
>    capability dac_read_search,

In `usr.lib.dovecot.auth`:

>    /run/dovecot/old-stats-user w,

In `usr.sbin.dovecot`:

>    /usr/lib/dovecot/stats ix,
>    /var/log/dovecot w,

In `usr.lib.dovecot.log`:

>    /var/log/dovecot w,

The `w` permission is needed for logs because apparmor denies `ac` and as far as I can tell there's no way to allow `open`s with `c`.  I couldn't find any indication that there exists documentation with a list of open permissions, so there may be another way to allow "create and append" other than `w`.

I used the `ix` permission for stats rather than `Px` because there is no `apparmor.d/user.lib.dovecot.stats` to include corresponding file in `/etc/apparmor.d/local`, and I thought it better to confine my edits to local.

So basically this recent apparmor update totally clobbers dovecot's ability to function.
Comment 7 Christian Boltz 2018-04-10 21:57:35 UTC
(In reply to Shad Sterling from comment #6)
> Actually, that last comment is completely wrong; it seemed to be working at
> first, but actually was not.  After spending a few hours iterating on
> `/var/log/audit/audit.log` and editing several files in
> `/etc/apparmor.d/local`, it seems to be back to working.
> 
> In `usr.lib.dovecot.config`:
> 
> >    /var/lib/dovecot/ssl-parameters.dat r,
> >    capability dac_read_search,

I'm slightly surprised about these two - can you please paste the relevant audit.log lines?

> In `usr.lib.dovecot.auth`:
> 
> >    /run/dovecot/old-stats-user w,
> 
> In `usr.sbin.dovecot`:
> 
> >    /usr/lib/dovecot/stats ix,

Please make that Px, and grab the dovecot/stats profile from bug 1088161 ;-)

> >    /var/log/dovecot w,

> In `usr.lib.dovecot.log`:
> 
> >    /var/log/dovecot w,

Please try with "a" instead of "w" (in both profiles that need to write the logfile), see below for details.


> The `w` permission is needed for logs because apparmor denies `ac` and as
> far as I can tell there's no way to allow `open`s with `c`.  I couldn't find
> any indication that there exists documentation with a list of open
> permissions, so there may be another way to allow "create and append" other
> than `w`.

'c' in the audit.log means "create". There is no exact match in the profile permissions to only allow "create", but both "a" and "w" include "create". So if you are lucky, using "a" in the profile is enough (and would be a major improvement because it blocks changes to existing log content).

> I used the `ix` permission for stats rather than `Px` because there is no
> `apparmor.d/user.lib.dovecot.stats` to include corresponding file in
> `/etc/apparmor.d/local`, and I thought it better to confine my edits to
> local.

See above ;-)  (there's no local/ sniplet for the dovecot/stats profile yet, but I'll of course add it when I package the profile)

> So basically this recent apparmor update totally clobbers dovecot's ability
> to function.

Actually it's the other way round - dovecot was updated, and nobody told me that it needs AppArmor profile updates :-(  (no blaming intended ;-) - and in the end, the important thing is to get it working again.)
Comment 8 Tristan Miller 2018-04-11 07:20:55 UTC
(In reply to Christian Boltz from comment #4)
> * writing dovecot.log by /usr/sbin/dovecot
>   The package maintainer just told me that the packaged default is still to
>   use syslog, so this is likely something you changed locally. Anyway -
>   please add the following line to /etc/apparmor.d/local/usr.sbin.dovecot:
>       /var/log/dovecot.log a,
>   Then run   rcapparmor reload   and try again. (Obviously you'll have to
>   re-enable log_path in the dovecot config.)
>   I'm not sure if a is enough, the last log line indicates w may be needed
>   (which would be bad because "a" allows append only and "w" full write
> access
>   including changes to the existing logfile)

With this line in /etc/apparmor.d/local/usr.sbin.dovecot, starting dovecot still results in the same error message -- "Can't open log file /var/log/dovecot.log: Permission denied".  But bizarrely, it *does* write to that log file, but only to complain that it can't write to the log file:

Apr 11 09:17:10 master: Info: Dovecot v2.3.1 (8e2f634) starting up for imap
Apr 11 09:17:10 master: Error: service(log): child 26965 returned error 80 (Can't open log file)
Apr 11 09:17:10 master: Error: service(log): command startup failed, throttling for 2 secs

The problem occurs whether I use "a" or "w".
Comment 9 Christian Boltz 2018-04-11 11:30:11 UTC
(In reply to Tristan Miller from comment #8)
> With this line in /etc/apparmor.d/local/usr.sbin.dovecot, starting dovecot
> still results in the same error message -- "Can't open log file
> /var/log/dovecot.log: Permission denied".  But bizarrely, it *does* write to
> that log file, but only to complain that it can't write to the log file:

*lol*

> Apr 11 09:17:10 master: Info: Dovecot v2.3.1 (8e2f634) starting up for imap
> Apr 11 09:17:10 master: Error: service(log): child 26965 returned error 80
> (Can't open log file)
> Apr 11 09:17:10 master: Error: service(log): command startup failed,
> throttling for 2 secs
> 
> The problem occurs whether I use "a" or "w".

When dovecot writes these log messages, do you get any messages in audit.log? If so, please paste them. (Ideally test with "a" in the rule.)
Comment 10 Christian Boltz 2018-04-11 21:03:14 UTC
FYI: SR 595790 allows dovecot/auth to write /run/dovecot/old-stats-user, and includes the fix for bug 1088161.

It does _not_ include the other profile additions discussed in this bugreport. I'll do another SR when we know what exactly is needed.
Comment 11 Swamp Workflow Management 2018-04-11 21:30:05 UTC
This is an autogenerated message for OBS integration:
This bug (1087753) was mentioned in
https://build.opensuse.org/request/show/595790 Factory / apparmor
Comment 12 Shad Sterling 2018-04-12 04:05:13 UTC
(In reply to Christian Boltz from comment #7)
> (In reply to Shad Sterling from comment #6)
> > Actually, that last comment is completely wrong; it seemed to be working at
> > first, but actually was not.  After spending a few hours iterating on
> > `/var/log/audit/audit.log` and editing several files in
> > `/etc/apparmor.d/local`, it seems to be back to working.
> > 
> > In `usr.lib.dovecot.config`:
> > 
> > >    /var/lib/dovecot/ssl-parameters.dat r,
> > >    capability dac_read_search,
> 
> I'm slightly surprised about these two - can you please paste the relevant
> audit.log lines?

`grep usr.lib.dovecot.config /var/log/audit/audit.log* | tail`:
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523334722.592:204589): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523334782.682:204638): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523334842.780:204690): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523334902.866:204741): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523334962.916:204792): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523335022.966:204842): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523335084.008:204893): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523335144.090:204943): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523335204.208:204996): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523335264.250:205048): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/config" name="/var/lib/dovecot/ssl-parameters.dat" pid=21775 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

`grep dac_read_search /var/log/audit/audit.log* | tail`:
> /var/log/audit/audit.log.3:type=AVC msg=audit(1523372677.043:240323): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config" pid=29574 comm="config" capability=2  capname="dac_read_search"
> /var/log/audit/audit.log.3:type=AVC msg=audit(1523373414.162:241172): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config" pid=31468 comm="config" capability=2  capname="dac_read_search"
> /var/log/audit/audit.log.3:type=AVC msg=audit(1523373805.425:241689): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config" pid=400 comm="config" capability=2  capname="dac_read_search"
> /var/log/audit/audit.log.4:type=AVC msg=audit(1523316897.764:190139): apparmor="DENIED" operation="capable" profile="/usr/lib/dovecot/config" pid=21775 comm="config" capability=2  capname="dac_read_search"

> > >    /var/log/dovecot w,
> 
> > In `usr.lib.dovecot.log`:
> > 
> > >    /var/log/dovecot w,
> 
> Please try with "a" instead of "w" (in both profiles that need to write the
> logfile), see below for details.

You really think I spent hours on this and didn't try that?
It doesn't work.
Omitting `/var/log/dovecot` results in a deny for "ac".  Specifying "a" results in a deny for "c".  Specifying "ac" is a malformed profile.
If there's any documentation about it, it's hard to find.  There are posts where people report on this, but none I found explained it.
I decided to stop short of reading the code that implements it.
It doesn't matter if the file must actually be created, it's enough that the process open it with create access.

> > The `w` permission is needed for logs because apparmor denies `ac` and as
> > far as I can tell there's no way to allow `open`s with `c`.  I couldn't find
> > any indication that there exists documentation with a list of open
> > permissions, so there may be another way to allow "create and append" other
> > than `w`.
> 
> 'c' in the audit.log means "create". There is no exact match in the profile
> permissions to only allow "create", but both "a" and "w" include "create".
> So if you are lucky, using "a" in the profile is enough (and would be a
> major improvement because it blocks changes to existing log content).

The inability to permit an operation that can be denied is a bug in apparmor.
 
> > So basically this recent apparmor update totally clobbers dovecot's ability
> > to function.
> 
> Actually it's the other way round - dovecot was updated, and nobody told me
> that it needs AppArmor profile updates :-(  (no blaming intended ;-) - and
> in the end, the important thing is to get it working again.)

My dovecot config is based on the defaults when I first configured it, which I thought was more than a decade ago but I can only confirm it back to 2012; my dovecot logfile has not changed in at least six years and it just stopped working with this update.

Comments with instructions to "migrate from old ssl-parameters.dat" made it into my `/etc/dovecot/conf.d/10-ssl.conf` with this update; use of that file does not appear to be new (if anything it's recently deprecated).

"stats" does not appear anywhere in `/etc/dovecot` and hasn't for more than a year, so any change in that doesn't appear to be configurable.

It looks like an update to the apparmor profile for dovecot broke any old configurations like mine.

Why isn't the apparmor profile for dovecot part of the dovecot package?
Comment 13 Tristan Miller 2018-04-19 18:54:33 UTC
(In reply to Christian Boltz from comment #9)
> When dovecot writes these log messages, do you get any messages in
> audit.log? If so, please paste them. (Ideally test with "a" in the rule.)

No, no messages appear in audit.log.
Comment 14 Tristan Miller 2018-04-19 19:18:53 UTC
(In reply to Tristan Miller from comment #13)
> (In reply to Christian Boltz from comment #9)
> > When dovecot writes these log messages, do you get any messages in
> > audit.log? If so, please paste them. (Ideally test with "a" in the rule.)
> 
> No, no messages appear in audit.log.

Oh, sorry -- I had forgotten to re-enable logging in /etc/dovecot/dovecot.conf.  I re-enabled it and tried again just now.  Here's what gets written to audit.log when starting dovecot:

type=AVC msg=audit(1524165468.008:2651): apparmor="ALLOWED" operation="open" profile="/usr/sbin/dovecot" name="/var/log/dovecot.log" pid=8197 comm="dovecot" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
type=AVC msg=audit(1524165468.008:2652): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/dovecot" name="/var/log/dovecot.log" pid=8197 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
type=AVC msg=audit(1524165468.016:2653): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/log" name="/var/log/dovecot.log" pid=8200 comm="log" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0
Comment 15 lili zhao 2018-09-29 10:02:40 UTC
It can be reproduced on sles12-sp4-rc1-b0395 also:

steps: 
(Please refer to "Bugzilla – Test Case 1682586: AppArmor - Profiles - usr.lib.dovecot.pop3 for more reproducing details)

    1. enable "apparmor"
    2. make dovecot related profiles in "enforce" mode
    3. send/receive mails by smtp/pop3/imap, the operations can be succeed, but      we got error message from "/var/log/mail.err" and "/var/log/mail.info":

FYI (mail.err): 
2018-09-29T16:01:14.020296+08:00 mail dovecot: master: Error: setrlimit(RLIMIT_NPROC, 5514): Operation not permitted
==dovecot pop3
2018-09-29T16:04:08.408153+08:00 mail dovecot: auth: Error: stats: open(stats-user) failed: Permission denied
2018-09-29T16:04:08.408496+08:00 mail dovecot: auth: Error: open(/var/run/dovecot/auth-token-secret.dat.tmp) failed: Permission denied
2018-09-29T16:04:08.408707+08:00 mail dovecot: auth: Error: Failed to write auth token secret file; returned tokens will be invalid once auth restarts
2018-09-29T16:04:18.021749+08:00 mail dovecot: auth-worker(3444): Error: stats: open(stats-user) failed: Permission denied

=dovecot imap
2018-09-29T16:08:08.299828+08:00 mail dovecot: auth: Error: stats: open(stats-user) failed: Permission denied
2018-09-29T16:08:08.301213+08:00 mail dovecot: auth: Error: open(/var/run/dovecot/auth-token-secret.dat.tmp) failed: Permission denied
2018-09-29T16:08:08.302225+08:00 mail dovecot: auth: Error: Failed to write auth token secret file; returned tokens will be invalid once auth restarts
2018-09-29T16:08:28.496247+08:00 mail dovecot: auth-worker(3584): Error: stats: open(stats-user) failed: Permission denied

FYI (mail.info):
====dovcot
2018-09-29T16:01:14.020296+08:00 mail dovecot: master: Error: setrlimit(RLIMIT_NPROC, 5514): Operation not permitted
2018-09-29T16:01:14.020896+08:00 mail dovecot: master: Dovecot v2.2.31 (65cde28) starting up for imap, pop3, lmtp (core dumps disabled)

==dovecot pop3
2018-09-29T16:04:08.408153+08:00 mail dovecot: auth: Error: stats: open(stats-user) failed: Permission denied
2018-09-29T16:04:08.408496+08:00 mail dovecot: auth: Error: open(/var/run/dovecot/auth-token-secret.dat.tmp) failed: Permission denied
2018-09-29T16:04:08.408707+08:00 mail dovecot: auth: Error: Failed to write auth token secret file; returned tokens will be invalid once auth restarts
2018-09-29T16:04:18.021749+08:00 mail dovecot: auth-worker(3444): Error: stats: open(stats-user) failed: Permission denied
2018-09-29T16:04:18.066229+08:00 mail dovecot: pop3-login: Login: user=<testuser>, method=PLAIN, rip=::1, lip=::1, mpid=3445, secured, session=<AsjOBP52Ft8AAAAAAAAAAAAAAAAAAAAB>

==imap
2018-09-29T16:07:54.846848+08:00 mail dovecot: pop3(testuser): Connection closed top=0/0, retr=1/472, del=0/2, size=917
2018-09-29T16:08:08.299828+08:00 mail dovecot: auth: Error: stats: open(stats-user) failed: Permission denied
2018-09-29T16:08:08.301213+08:00 mail dovecot: auth: Error: open(/var/run/dovecot/auth-token-secret.dat.tmp) failed: Permission denied
2018-09-29T16:08:08.302225+08:00 mail dovecot: auth: Error: Failed to write auth token secret file; returned tokens will be invalid once auth restarts
2018-09-29T16:08:28.496247+08:00 mail dovecot: auth-worker(3584): Error: stats: open(stats-user) failed: Permission denied
Comment 16 lili zhao 2018-09-30 01:33:02 UTC
Please refer the test case for more info:

https://bugzilla.suse.com/tr_show_case.cgi?case_id=1682586
Bugzilla – Test Case 1682586: AppArmor - Profiles - usr.lib.dovecot.pop3
https://bugzilla.suse.com/tr_show_case.cgi?case_id=1682585
Bugzilla – Test Case 1682585: AppArmor - Profiles - usr.lib.dovecot.imap
Comment 17 Marc Chamberlin 2022-04-29 23:03:14 UTC
Reported in 2018??? AND it is now April 2022 and this bug is still not resolved??

I am running OpenSuSE x64 version 15.3 and can report this bug still exists, I can't get Dovecot to access it's own log file and get the same permission denied error.