Bug#969114: apparmor-profiles: usr.sbin.dovecot does not allow reading /usr/share/dovecot/dh.pem (dovecot fails to start)
I think it's for upstream. There's more rules to add too. I'll try to work on that. On 2020-10-24 16:05, intrigeri wrote: Hi Vincas! Vincas Dargis (2020-08-27): This is produced if usr.sbin.dovecot is copied to /etc/apparmor.d: ``` type=AVC msg=audit(1598556536.092:901): apparmor="DENIED" operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem" pid=12625 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` This results in dovecot failing to start: ``` Aug 27 22:31:47 systemd[1]: Started Dovecot IMAP/POP3 email server. Aug 27 22:31:47 dovecot[13693]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file /usr/share/dove Aug 27 22:31:47 systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a Aug 27 22:31:47 systemd[1]: dovecot.service: Failed with result 'exit-code'. ``` It is fixed by adding single rule: ``` /usr/share/dovecot/dh.pem r, ``` Do you think it's too Debian-specific to fix upstream? Cheers!
Bug#969114: apparmor-profiles: usr.sbin.dovecot does not allow reading /usr/share/dovecot/dh.pem (dovecot fails to start)
Hi Vincas! Vincas Dargis (2020-08-27): > This is produced if usr.sbin.dovecot is copied to /etc/apparmor.d: > > ``` > type=AVC msg=audit(1598556536.092:901): apparmor="DENIED" operation="open" > profile="dovecot" name="/usr/share/dovecot/dh.pem" pid=12625 comm="doveconf" > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > ``` > > This results in dovecot failing to start: > > ``` > Aug 27 22:31:47 systemd[1]: Started Dovecot IMAP/POP3 email server. > Aug 27 22:31:47 dovecot[13693]: doveconf: Fatal: Error in configuration file > /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file > /usr/share/dove > Aug 27 22:31:47 systemd[1]: dovecot.service: Main process exited, > code=exited, status=89/n/a > Aug 27 22:31:47 systemd[1]: dovecot.service: Failed with result 'exit-code'. > ``` > > It is fixed by adding single rule: > > ``` > /usr/share/dovecot/dh.pem r, > ``` Do you think it's too Debian-specific to fix upstream? Cheers!
Bug#969114: apparmor-profiles: usr.sbin.dovecot does not allow reading /usr/share/dovecot/dh.pem (dovecot fails to start)
Package: apparmor-profiles Version: 2.13.2-10 Severity: normal Tags: upstream Dear Maintainer, This is produced if usr.sbin.dovecot is copied to /etc/apparmor.d: ``` type=AVC msg=audit(1598556536.092:901): apparmor="DENIED" operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem" pid=12625 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` This results in dovecot failing to start: ``` Aug 27 22:31:47 systemd[1]: Started Dovecot IMAP/POP3 email server. Aug 27 22:31:47 dovecot[13693]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file /usr/share/dove Aug 27 22:31:47 systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a Aug 27 22:31:47 systemd[1]: dovecot.service: Failed with result 'exit-code'. ``` It is fixed by adding single rule: ``` /usr/share/dovecot/dh.pem r, ``` -- System Information: Debian Release: 10.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: armhf (armv7l) Kernel: Linux 4.19.0-10-armmp-lpae (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor-profiles depends on: ii apparmor 2.13.2-10 apparmor-profiles recommends no packages. apparmor-profiles suggests no packages. -- Configuration Files: /etc/apparmor.d/bin.ping changed [not included] /etc/apparmor.d/sbin.klogd changed [not included] /etc/apparmor.d/sbin.syslog-ng changed [not included] /etc/apparmor.d/sbin.syslogd changed [not included] /etc/apparmor.d/usr.sbin.avahi-daemon changed [not included] /etc/apparmor.d/usr.sbin.dnsmasq changed [not included] /etc/apparmor.d/usr.sbin.identd changed [not included] /etc/apparmor.d/usr.sbin.mdnsd changed [not included] /etc/apparmor.d/usr.sbin.nmbd changed [not included] /etc/apparmor.d/usr.sbin.nscd changed [not included] /etc/apparmor.d/usr.sbin.smbd changed [not included] /etc/apparmor.d/usr.sbin.smbldap-useradd changed [not included] /etc/apparmor.d/usr.sbin.traceroute changed [not included] -- no debconf information