On 2016-04-25 01:04, Christian Boltz wrote:

> Can you check if you still get dovecot-related events in 
> /var/log/audit/audit.log? (tail -f while restarting and using dovecot)
> If in doubt, paste the log lines in your next mail or on 
> paste.opensuse.org (if it's more than 20 lines).

type=SERVICE_STOP msg=audit(1461586326.390:126841): pid=1 uid=0 auid=4294967295 
ses=4294967295  msg=' comm="dovecot" exe="/usr/lib/systemd/systemd" hostname=? 
addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1461586326.391:126842): pid=1 uid=0 
auid=4294967295 ses=4294967295  msg=' comm="dovecot" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

And after opening a folder:

type=USER_AUTH msg=audit(1461586375.091:126843): pid=27456 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:authentication acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=192.168.1.14 addr=192.168.1.14 
terminal=dovecot res=success'
type=USER_ACCT msg=audit(1461586375.091:126844): pid=27456 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:accounting acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=192.168.1.14 addr=192.168.1.14 
terminal=dovecot res=success'
type=USER_AUTH msg=audit(1461586375.097:126845): pid=27457 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:authentication acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=192.168.1.14 addr=192.168.1.14 
terminal=dovecot res=success'
type=USER_ACCT msg=audit(1461586375.097:126846): pid=27457 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:accounting acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=192.168.1.14 addr=192.168.1.14 
terminal=dovecot res=success'
type=USER_AUTH msg=audit(1461586375.692:126847): pid=27456 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:authentication acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=127.0.0.1 addr=127.0.0.1 terminal=dovecot 
res=success'
type=USER_ACCT msg=audit(1461586375.693:126848): pid=27456 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:accounting acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=127.0.0.1 addr=127.0.0.1 terminal=dovecot 
res=success'



> Also try to (temporarily) remove the vsz_limit and default_vsz_limit 
> settings in your dovecot config to see if they are causing this problem.

The entries in the audit log change a little:

type=SERVICE_STOP msg=audit(1461586578.088:126879): pid=1 uid=0 auid=4294967295 
ses=4294967295  msg=' comm="dovecot" exe="/usr/lib/systemd/systemd" hostname=? 
addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1461586578.090:126880): pid=1 uid=0 
auid=4294967295 ses=4294967295  msg=' comm="dovecot" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1461586586.644:126881): pid=27661 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:authentication acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=127.0.0.1 addr=127.0.0.1 terminal=dovecot 
res=success'
type=USER_ACCT msg=audit(1461586586.645:126882): pid=27661 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:accounting acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=127.0.0.1 addr=127.0.0.1 terminal=dovecot 
res=success'
type=USER_AUTH msg=audit(1461586597.531:126883): pid=27661 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:authentication acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=127.0.0.1 addr=127.0.0.1 terminal=dovecot 
res=success'
type=USER_ACCT msg=audit(1461586597.532:126884): pid=27661 uid=0 
auid=4294967295 ses=4294967295  msg='op=PAM:accounting acct="cer" 
exe="/usr/lib/dovecot/auth" hostname=127.0.0.1 addr=127.0.0.1 terminal=dovecot 
res=success'


The reason for the vsz_limit setting is here:

https://lists.opensuse.org/opensuse/2014-06/msg01077.html

I was getting this error:

dovecot - - -  imap(cer): Error: mmap() failed with file 
/home/cer/Mail/_Lists/.imap/one_mail_folder/dovecot.index.cache: Cannot 
allocate memory


> 
> BTW: 
> 
>> In fact, the change has been applied to
>> /etc/apparmor.d/usr.sbin.dovecot several times:
>>
>>  capability           setuid,
>>   capability           sys_chroot,
>>   capability       sys_resource,
>>   capability      sys_resource,
>>   capability     sys_resource,
>>   capability    sys_resource,
>>   capability   sys_resource,
>>   capability  sys_resource,
>>   capability sys_resource,
> 
> *lol*
> 
> I know the 2.8.x AppArmor tools have quite some bugs (that's one of the 
> reasons why they were rewritten in python for 2.9), but I'm not sure if 
> I have ever seen this one. 
> Anyway, the profile clearly allows the sys_resource capability ;-))
> (having 10 similar lines for it doesn't hurt)


The problem is that when I run aa-logprof, I always get:

Telcontar:~ # aa-logprof 
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile:    /usr/sbin/dovecot
Capability: sys_resource
Severity:   8

(A)llow / [(D)eny] / Audi(t) / Abo(r)t / (F)inish



Maybe I have something set to "audit" and I forgot :-?


-- 
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen

Reply via email to