On Tue, Nov 29, 2016 at 01:49:05PM +0100, Christian Boltz wrote:
> On servers with not too much memory ("only" 16 GB), dovecot logins fail:
>
> Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA,
> 268435456): Permission denied
> Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command
> startup failed, throttling for 2 secs
> Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth):
> child 25976 returned error 89 (Fatal failure)
> audit.log messages are:
> ... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot"
> pid=25000 comm="dovecot" capability=24 capname="sys_resource"
> ... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot"
> pid=25000 comm="dovecot" rlimit=data value=268435456
Interesting. This should only be needed if raising RLIMIT_DATA
('ulimit -H -d' in bash/dash) over an existing hard limit. Is there
some setting elsewhere that's lowering it before dovecot runs?
> After allowing capability sys_resource, dovecot can increase the limit
> and works again.
>
> I propose this patch for trunk, 2.10 and 2.9
That question aside, I think it's okay.
Acked-by: Steve Beattie <[email protected]> for all three branches.
> [ dovecot-cap-sys_resource.diff ]
>
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot 2014-12-22 16:49:28 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot 2016-11-29 11:46:32 +0000
> @@ -28,6 +28,7 @@
> capability net_bind_service,
> capability setuid,
> capability sys_chroot,
> + capability sys_resource,
>
> /etc/dovecot/** r,
> /etc/mtab r,
--
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
