Hello,
On servers with not too much memory ("only" 16 GB), dovecot logins fail:Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure) audit.log messages are: ... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24 capname="sys_resource" ... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456 After allowing capability sys_resource, dovecot can increase the limit and works again. I propose this patch for trunk, 2.10 and 2.9 [ dovecot-cap-sys_resource.diff ] === modified file 'profiles/apparmor.d/usr.sbin.dovecot' --- profiles/apparmor.d/usr.sbin.dovecot 2014-12-22 16:49:28 +0000 +++ profiles/apparmor.d/usr.sbin.dovecot 2016-11-29 11:46:32 +0000 @@ -28,6 +28,7 @@ capability net_bind_service, capability setuid, capability sys_chroot, + capability sys_resource, /etc/dovecot/** r, /etc/mtab r, Regards, Christian Boltz -- > Jo, klar. Das ist "chirurgisch". Kettensäge oder Skalpell, das ist hier die Frage. [> Ralf Hildebrandt und Peer Heinlein in postfixbuch-users]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
