[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2020-02-17 Thread Christian Ehrhardt 
This is a post 2.13 fix upstream.
As mentioned by Christian it is in the backport branches, the respective merge 
for 2.13 is:
$ git tag --contains 28c4d3a339dea8120eb59fea314bc0026b50
v2.13.3
Thereby this is fixed in E

2.12:
$ git tag --contains 1ce8cd213c1f8948658818ac8a9a964755aac6d0
v2.12.3

So this would be open for Bionic (but at low prio since the change can be done 
as a user:
$ echo "unix (receive, send) type=stream peer=(label=dovecot)," >> 
/etc/apparmor.d/local/usr.lib.dovecot.anvil
$ echo "unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil)," 
>> /etc/apparmor.d/local/usr.sbin.dovecot

** Changed in: dovecot (Ubuntu)
   Status: Invalid => Fix Released

** Also affects: dovecot (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: apparmor (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: dovecot (Ubuntu Bionic)
   Status: New => Triaged

** Changed in: dovecot (Ubuntu Bionic)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Fix Released
Status in apparmor package in Ubuntu:
  Expired
Status in dovecot package in Ubuntu:
  Fix Released
Status in apparmor source package in Bionic:
  New
Status in dovecot source package in Bionic:
  Triaged

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:

[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2020-02-16 Thread Christian Boltz
For the records: Upstream commit
a57f01d86bdb01647966f3eeff7a1cc3fc6abd76 (from 2019-02-10) added rules
to allow this (with an additional type=stream restriction, which matches
the log mentioned in this bugreport), and was also backported to the
maintenance branches.


Therefore I'll mark the AppArmor part as "fix released".

** Changed in: apparmor
   Status: Expired => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Fix Released
Status in apparmor package in Ubuntu:
  Expired
Status in dovecot package in Ubuntu:
  Invalid

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2020-02-15 Thread Launchpad Bug Tracker
[Expired for AppArmor because there has been no activity for 60 days.]

** Changed in: apparmor
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Expired
Status in apparmor package in Ubuntu:
  Expired
Status in dovecot package in Ubuntu:
  Invalid

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2020-02-15 Thread Launchpad Bug Tracker
[Expired for apparmor (Ubuntu) because there has been no activity for 60
days.]

** Changed in: apparmor (Ubuntu)
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Expired
Status in apparmor package in Ubuntu:
  Expired
Status in dovecot package in Ubuntu:
  Invalid

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2019-12-17 Thread Jamie Strandboge
@Matyáš, this configuration seems like something you added:

/etc/dovecot/conf.d/10-master.conf
   service auth {
 unix_listener auth-userdb {
   mode = 0666
   user = vmail
   group = mail
 }
 unix_listener /var/spool/postfix/private/auth {
   mode = 0666
   user = postfix
   group = postfix
 }
   }

Is this a standard configuration?


** Changed in: apparmor (Ubuntu)
   Status: New => Incomplete

** Changed in: apparmor
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Incomplete
Status in apparmor package in Ubuntu:
  Incomplete
Status in dovecot package in Ubuntu:
  Invalid

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2019-12-17 Thread Jamie Strandboge
Marking the dovecot task as Invalid since it doesn't ship the profiles.

** Changed in: dovecot (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Incomplete
Status in apparmor package in Ubuntu:
  Incomplete
Status in dovecot package in Ubuntu:
  Invalid

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2017-07-12 Thread Matyáš Koc
I applied the fix and it looks like it's all working now. I wan't aware
of the anonymous sockets, so I was trying wrong things.

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New
Status in dovecot package in Ubuntu:
  New

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2017-07-12 Thread Seth Arnold
Oh, I always forget that unix has _anonymous_ sockets too. Silly
complicated things. Thanks John.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New
Status in dovecot package in Ubuntu:
  New

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2017-07-12 Thread John Johansen
This is caused by an anonymous socket communication channel between
dovecot and anvil. If this problem is not happening in 16.04 (unless you
are using the release kernel) then it will be because o a change to
dovecot, newer versions of apparmor have been SRUed back to 16.04

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New
Status in dovecot package in Ubuntu:
  New

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2017-07-12 Thread Matyáš Koc
It is suprising for me too, as I don't know about this problem on 16.04
LTS and I could not reproduce it. It was probably introduced in 17.04 or
around that.

I have done some experimenting now and I managed to find out that the
problem is caused only by profile for /usr/lib/dovecot/anvil (not
dovecot profile itself). Also, adding just "singal," to the profile
didn't work.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New
Status in dovecot package in Ubuntu:
  New

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2017-07-12 Thread John Johansen
Its an anonymous socket. The best you can do is

to /usr/sbin/dovecot/anvil add
  unix (send, receive) peer=(label=/usr/sbin/dovecot),

to /usr/sbin/dovecot add
  unix (send, receive) peer=(label=/usr/sbin/dovecot/anvil),

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New
Status in dovecot package in Ubuntu:
  New

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2017-07-12 Thread Seth Arnold
I'm surprised about the "addr=none peer_addr=none" -- any idea what's
going on here?

Thanks

** Also affects: apparmor
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New
Status in dovecot package in Ubuntu:
  New

Bug description:
  My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0).
  Apparmor is still complaining about problems with file_inherit. I have
  put the profiles in complain-only mode, so I can continue, but still,
  it's a problem.

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  My configuration of Dovecot has changed slightly:

  /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=localhost dbname=mail user=mail password=mailpassword
 default_pass_scheme = MD5-CRYPT
 password_query = ...
 user_query = ...

  /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext

  /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/vmail/%d/%n
 mail_uid = vmail
 mail_gid = mail
 first_valid_uid = 150
 last_valid_uid = 150

  /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = 

  /usr/sbin/dovecot flags=(complain,attach_disconnected) {
#include 
#include 
#include 
#include 
#include 
#include 
#include 

capability chown,
capability dac_override,
capability fsetid,
capability kill,
capability net_bind_service,
capability setuid,
capability sys_chroot,
capability sys_resource,

/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
/usr/lib/dovecot/config Px,
/usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
/usr/lib/dovecot/lmtp Px,
/usr/lib/dovecot/log Px,
/usr/lib/dovecot/managesieve Px,
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/   r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
/var/lib/dovecot/* rwkl,
/var/spool/postfix/private/auth w,
/var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

  Profile usr.lib.dovecot.anvil:

  #include 

  /usr/lib/dovecot/anvil flags=(complain) {
#include 
#include 

capability setuid,
capability sys_chroot,

/usr/lib/dovecot/anvil mr,

# Site-specific additions and overrides. See local/README for details.
#include 
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp