[Touch-packages] [Bug 482080] Re: Dovecot's apparmor profile breaks dovecot-antispam

Sat, 29 Apr 2017 05:29:45 -0700 

I'd even recommend to restrict it a bit more:

  owner /tmp/antispam-mail*/ rw,
  owner /tmp/antispam-mail*/* rwkl,

sendmail might be a candidate for a child profile. Such a (maybe too
generous) profile already exists in the dovecot-lda profile, so cleaning
it up and removing permissions that are not needed for "just" sending a
mail might be a good idea.

I won't object if you provide a generic sendmail profile that we can Px
into (feel free to use the child profile in dovecot-lda as a base), but
that needs much more testing before shipping and enforcing it in the
default setup.

** Also affects: apparmor
   Importance: Undecided
       Status: New

** Tags added: aa-policy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/482080

Title:
  Dovecot's apparmor profile breaks dovecot-antispam

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New
Status in dovecot-antispam package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: dovecot-antispam

  On my Ubuntu 9.10 ; with the following versions of the packages installed :
  dovecot-antispam : 1.1+20090218.git.g28075fa-2
  apparmor-profiles : 2.3.1+1403-0ubuntu27.1

  The antispam plugins tries to use folders in /tmp/ (like 
"/tmp/antispam-mail-QXCQTR/" ) as a temporary storage zone. But it is prevented 
from doing so by apparmor
  |  dmesg |tail
  |  [553173.563468] type=1502 audit(1258103977.311:86928): operation="mkdir" 
pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" 
denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/"
  |  [553173.563884] type=1502 audit(1258103977.311:86929): operation="rmdir" 
pid=27322 parent=31402 profile="/usr/lib/dovecot/imap" requested_mask="w::" 
denied_mask="w::" fsuid=1000 ouid=1000 name="/tmp/antispam-mail-0doKnn/"
  | [...]

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/482080/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to