Bug 1088161 - Can't use dovecot after upgrade due to missing/wrong apparmor profile
Can't use dovecot after upgrade due to missing/wrong apparmor profile
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: AppArmor
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Christian Boltz
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-04 18:22 UTC by Luis Henriques
Modified: 2018-04-11 21:30 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
audit.log (after 'grep dovecot') (4.08 KB, text/x-log)
2018-04-05 21:49 UTC, Luis Henriques
Details
usr.lib.dovecot.stats profile (264 bytes, text/plain)
2018-04-06 22:21 UTC, Christian Boltz
Details
new audit.log (3.42 KB, text/x-log)
2018-04-09 09:20 UTC, Luis Henriques
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Luis Henriques 2018-04-04 18:22:29 UTC
After upgrading Tumbleweed to one of the latest snapshots dovecot got an update and I can't use it anymore.  Here's what I see in the dovecot logs:

dovecot[29330]: master: Dovecot v2.3.1 (8e2f634) starting up for imap
dovecot[29333]: imap-login: Login: user=<MY-USER>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=29340, TLS, session=<SESSION>
dovecot[29333]: master: Fatal: execv(/usr/lib/dovecot/stats) failed: Permission denied
dovecot[29330]: master: Error: service(stats): command startup failed, throttling for 2 secs
dovecot[29333]: stats: Fatal: master: service(stats): child 29341 returned error 84 (exec() failed)
dovecot[29333]: master: Fatal: execv(/usr/lib/dovecot/stats) failed: Permission denied
dovecot[29330]: master: Error: service(stats): command startup failed, throttling for 4 secs
dovecot[29333]: stats: Fatal: master: service(stats): child 29344 returned error 84 (exec() failed)

Looking at /var/log/audit/audit.log here's what I see:

type=AVC msg=audit(1522794786.771:126): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=4073 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1522794796.783:127): apparmor="DENIED" operation="exec" profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=4074 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

I've seen bug https://bugzilla.opensuse.org/show_bug.cgi?id=1087753 but I'm not sure it's actually related.
Comment 1 Christian Boltz 2018-04-05 17:50:02 UTC
Bug 1087753 includes two issues, and one of them is indeed a duplicate of this bugreport. Let's handle /usr/lib/dovecot/stats here, and writing dovecot.log in bug 1087753 ;-)

Your log message shows that /usr/sbin/dovecot wants to execute /usr/lib/dovecot/stats, so we'll need to add a rule to allow this. We'll also need to create a profile for /usr/lib/dovecot/stats.

Can you please attach your /var/log/audit/audit.log so that I can build that profile? (feel free to only attach the result of   grep dovecot audit.log   if you want to exclude unrelated stuff, but I can easily filter it myself)
Comment 2 Christian Boltz 2018-04-05 19:08:06 UTC
I forgot to mention - you'll probably need to switch the dovecot profile to complain (learning) mode to get log entries for building the dovecot/stats profile:

    aa-complain /etc/apparmor.d/usr.sbin.dovecot

This will allow everything and log what would be denied.

To switch the profile back to enforce mode, run
    aa-enforce /etc/apparmor.d/usr.sbin.dovecot
Comment 3 Luis Henriques 2018-04-05 21:49:52 UTC
Created attachment 766175 [details]
audit.log (after 'grep dovecot')

Here's the dovecot info from the audit log.  Note that I'm including only the new lines after switching to complain mode as explained in comment #2.  Please let me know if you need some extra information (or if I somehow screwed up the log file).
Comment 4 Christian Boltz 2018-04-06 22:21:08 UTC
Created attachment 766354 [details]
usr.lib.dovecot.stats profile

Please save the attached profile as /etc/apparmor.d/usr.lib.dovecot.stats

Also edit /etc/apparmor.d/local/usr.sbin.dovecot and add

  /usr/lib/dovecot/stats Px,

After that, run   rcapparmor reload

The attached profile for dovecot/stats is intentionally in complain mode for now, so it will allow everything and log what would be denied. Please use it for a day or two, and then grep your audit.log again and report back - I wouldn't be surprised if it needs some more permissions.
Comment 5 Luis Henriques 2018-04-06 22:36:09 UTC
Thank you, I'll use this file for a while and report back with the result.
Comment 6 Luis Henriques 2018-04-09 09:20:19 UTC
Created attachment 766407 [details]
new audit.log

Here's the (grepped) audit log after applying the changes suggested previously.  I have to confess I haven't used it heavily; please let me know if you need it again with more data on it.
Comment 7 Christian Boltz 2018-04-09 11:19:40 UTC
That log looks (too?) harmless - no AppArmor denials ;-)

To be sure the new profile gets really used, please run   rcdovecot restart
Otherwise the dovecot/stats process might still run unconfined.
Comment 8 Luis Henriques 2018-04-09 11:40:47 UTC
Hmm... ok.  I just upgraded my TW with the latest snapshot and rebooted.  I've double checked everything was still ok: /etc/apparmor.d/usr.lib.dovecot.stats was still there, and the contents of /etc/apparmor.d/local/usr.sbin.dovecot was ok.  And, just to be sure, I reloaded apparmor and restarted dovecot :-)

$ sudo aa-unconfined |grep -i dovec
6113 /usr/sbin/dovecot confined by '/usr/sbin/dovecot (enforce)'

Also, aa-status includes:

1 profiles are in complain mode.
   /usr/lib/dovecot/stats

I still don't see any 'denied', but let's see what happens.
Comment 9 Christian Boltz 2018-04-11 20:59:39 UTC
SR 595790 includes the dovecot/stats profile and the Px addition to the dovecot profile.

If you notice any additional denials, feel free to reopen or to open a new bugreport.
Comment 10 Swamp Workflow Management 2018-04-11 21:30:08 UTC
This is an autogenerated message for OBS integration:
This bug (1088161) was mentioned in
https://build.opensuse.org/request/show/595790 Factory / apparmor