Bug 1199535 - [Build 20220512] dovecot/pop3 vs apparmor
[Build 20220512] dovecot/pop3 vs apparmor
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Christian Boltz
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2022-05-14 07:22 UTC by Dominique Leuenberger
Modified: 2022-05-15 20:40 UTC (History)
1 user (show)

See Also:
Found By: openQA
Services Priority:
Business Priority:
Blocker: Yes
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Dominique Leuenberger 2022-05-14 07:22:47 UTC
## Observation

type=USER_AUTH msg=audit(1652509166.040:1497): pid=11876 uid=0 auid=4294967295 ses=4294967295 subj==dovecot-auth (enforce) msg='op=PAM:authentication grantors=pam_gnome_keyring,pam_unix acct="recipient" exe="/usr/lib/dovecot/auth" hostname=::1 addr=::1 terminal=dovecot res=success'
type=USER_ACCT msg=audit(1652509166.044:1498): pid=11876 uid=0 auid=4294967295 ses=4294967295 subj==dovecot-auth (enforce) msg='op=PAM:accounting grantors=pam_unix acct="recipient" exe="/usr/lib/dovecot/auth" hostname=::1 addr=::1 terminal=dovecot res=success'
type=AVC msg=audit(1652509166.056:1499): apparmor="DENIED" operation="open" profile="dovecot-pop3" name="/proc/11877/stat" pid=11877 comm="pop3" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0
type=SYSCALL msg=audit(1652509166.056:1499): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f56e28a8ea3 a2=0 a3=0 items=0 ppid=11862 pid=11877 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="pop3" exe="/usr/lib/dovecot/pop3" subj==dovecot-pop3 (enforce) key=(null)
type=PROCTITLE msg=audit(1652509166.056:1499): proctitle="dovecot/pop3"
openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor_profile@64bit fails in

## Test suite description
Maintainer: llzhao@suse.de.
Test AppArmor profiles with an existing disk image.

## Reproducible

Fails since (at least) Build [20220512](https://openqa.opensuse.org/tests/2345963)

## Expected result

Last good: [20220510](https://openqa.opensuse.org/tests/2345146) (or more recent)

## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=apparmor_profile&version=Tumbleweed)
Comment 1 Christian Boltz 2022-05-15 19:28:05 UTC
[fixing the title - dovecot is not that bad ;-) ]

dovecot-imap needs the same permissions, see the other audit.log in openQA.

My own dovecot usage shows that dovecot-lmtp also needs some additional permissions.

See SR 977392 for details ;-)
Comment 2 OBSbugzilla Bot 2022-05-15 20:40:04 UTC
This is an autogenerated message for OBS integration:
This bug (1199535) was mentioned in
https://build.opensuse.org/request/show/977392 Factory / apparmor