OK, rejecting from Bionic then and setting Won't Fix. This can be
reconsidered if something new comes up.
** Changed in: apparmor (Ubuntu Bionic)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
** Changed in: apparmor (Ubuntu)
Status: Expired => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821
Title:
Dovecot and Apparmor complains at
Robie, thank you for taking a look at it.
In this case, the user is impacted by noisy logs, since the dovecot profile is
in complain mode. That means that AppArmor does not block actions, it only logs
them, so that's probably the reason we are not getting more users reporting
this.
I believe
Bug 1979879 is similar to this, except for samba in Jammy. In both
cases, a workaround is trivially available since a user can safely
modify the profile directly in /etc.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
Please also fix the bug status for the Ubuntu development release
apparmor package task.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821
Title:
Dovecot and
What's the user impact here please? Just noisy logs, or are users
impacted in a more meaningful way? The downside here is that a rebuild
of apparmor is going to result in virtually every Ubuntu Bionic user
having to download and install an update. The vast majority of whom
aren't using dovecot, or
** Description changed:
[Impact]
Users report that while running dovecot there are some issues reported
by AppArmor, specifically regarding "file_inherit" operations:
Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
audit(1499859079.016:363): apparmor="ALLOWED"
I have attached a debdiff for AppArmor containing the upstream fix.
** Description changed:
- My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0). Apparmor
- is still complaining about problems with file_inherit. I have put the
- profiles in complain-only mode, so I can continue, but
Per comment #7 (and re-confirmed with security just now), the fix needed
is to apparmor, and just needs a cherrypick to fix.
** Changed in: dovecot (Ubuntu Bionic)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
** Tags added: bitesize
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821
Title:
Dovecot and Apparmor complains at operation file_inherit
Status in AppArmor:
Fix
This is a post 2.13 fix upstream.
As mentioned by Christian it is in the backport branches, the respective merge
for 2.13 is:
$ git tag --contains 28c4d3a339dea8120eb59fea314bc0026b50
v2.13.3
Thereby this is fixed in E
2.12:
$ git tag --contains 1ce8cd213c1f8948658818ac8a9a964755aac6d0
For the records: Upstream commit
a57f01d86bdb01647966f3eeff7a1cc3fc6abd76 (from 2019-02-10) added rules
to allow this (with an additional type=stream restriction, which matches
the log mentioned in this bugreport), and was also backported to the
maintenance branches.
Therefore I'll mark the
[Expired for AppArmor because there has been no activity for 60 days.]
** Changed in: apparmor
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
[Expired for apparmor (Ubuntu) because there has been no activity for 60
days.]
** Changed in: apparmor (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
@Matyáš, this configuration seems like something you added:
/etc/dovecot/conf.d/10-master.conf
service auth {
unix_listener auth-userdb {
mode = 0666
user = vmail
group = mail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user =
Marking the dovecot task as Invalid since it doesn't ship the profiles.
** Changed in: dovecot (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
I applied the fix and it looks like it's all working now. I wan't aware
of the anonymous sockets, so I was trying wrong things.
Thank you!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Oh, I always forget that unix has _anonymous_ sockets too. Silly
complicated things. Thanks John.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821
Title:
Dovecot
This is caused by an anonymous socket communication channel between
dovecot and anvil. If this problem is not happening in 16.04 (unless you
are using the release kernel) then it will be because o a change to
dovecot, newer versions of apparmor have been SRUed back to 16.04
--
You received this
It is suprising for me too, as I don't know about this problem on 16.04
LTS and I could not reproduce it. It was probably introduced in 17.04 or
around that.
I have done some experimenting now and I managed to find out that the
problem is caused only by profile for /usr/lib/dovecot/anvil (not
Its an anonymous socket. The best you can do is
to /usr/sbin/dovecot/anvil add
unix (send, receive) peer=(label=/usr/sbin/dovecot),
to /usr/sbin/dovecot add
unix (send, receive) peer=(label=/usr/sbin/dovecot/anvil),
--
You received this bug notification because you are a member of Ubuntu
I'm surprised about the "addr=none peer_addr=none" -- any idea what's
going on here?
Thanks
** Also affects: apparmor
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
22 matches
Mail list logo
