Am Freitag, 22. April 2016, 12:27:44 CEST schrieb Carlos E. R.:
> <2.2> 2016-04-22 12:14:59 Telcontar dovecot - - -  master: Fatal:
> setrlimit(RLIMIT_DATA, 268435456): Permission denied 
> Telcontar:~ # aa-logprof
> Reading log entries from /var/log/audit/audit.log.
> Updating AppArmor profiles in /etc/apparmor.d.
> Enforce-mode changes:
> Profile:    /usr/sbin/dovecot
> Capability: sys_resource
> Severity:   8
> (A)llow / [(D)eny] / Audi(t) / Abo(r)t / (F)inish
> Adding capability sys_resource to profile.

That's surprising in more than one way ;-)

First, the dovecot profile wasn't touched in this update. (Nevertheless, 
check for *.rpmnew or *.rpmsave files in /etc/apparmor.d just to be on 
the safe side.)

Second, even the latest dovecot profile in the upstream repo does not 
include capability sys_resource - and works for lots of people 
(including me, and I'm using dovecot on several 13.1 servers).

And third, the AppArmor update contained 99% profile updates, and only 1% 
other changes - and this 1% "only" added support for another log format 
to libapparmor, which is used by aa-logprof/aa-genprof.

man 7 capabilities says:

              * [... many other options ...]
              * increase resource limits (see setrlimit(2));

which would match your log entries.

Now the question is why dovecot wants to do this. Did you change any 
settings in dovecot or rlimit settings on your system? Do you set 
vsz_limit somewhere in your dovecot config?


Christian Boltz
>Gibt es hier in dieser Liste eigentlich ausser mir noch jemanden ??
Nein, aber es laufen einige Robots, die Traffic vortäuschen. Ich bin
auch einer davon.
[Tobias Korb und Thorsten Haude in suse-programming]

Evergreen mailing list

Reply via email to