Oh, I always forget that unix has _anonymous_ sockets too. Silly complicated things. Thanks John.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1703821 Title: Dovecot and Apparmor complains at operation file_inherit Status in AppArmor: New Status in apparmor package in Ubuntu: New Status in dovecot package in Ubuntu: New Bug description: My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0). Apparmor is still complaining about problems with file_inherit. I have put the profiles in complain-only mode, so I can continue, but still, it's a problem. Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot" Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil" My configuration of Dovecot has changed slightly: /etc/dovecot/dovecot-sql.conf.ext driver = mysql connect = host=localhost dbname=mail user=mail password=mailpassword default_pass_scheme = MD5-CRYPT password_query = ... user_query = ... /etc/dovecot/conf.d/10-auth.conf disable_plaintext_auth = yes auth_mechanisms = plain login #!include auth-system.conf.ext !include auth-sql.conf.ext /etc/dovecot/conf.d/10-mail.conf mail_location = maildir:/var/vmail/%d/%n mail_uid = vmail mail_gid = mail first_valid_uid = 150 last_valid_uid = 150 /etc/dovecot/conf.d/10-ssl.conf ssl = required ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key ssl_dh_parameters_length = 4096 ssl_protocols = ... ssl_cipher_list = ... ssl_prefer_server_ciphers = yes /etc/dovecot/conf.d/10-master.conf service auth { unix_listener auth-userdb { mode = 0666 user = vmail group = mail } unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } /etc/dovecot/conf.d/15-lda.conf postmaster_address = ... Apparmor usr.sbin.dovecot profile: #include <tunables/global> /usr/sbin/dovecot flags=(complain,attach_disconnected) { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/dovecot-common> #include <abstractions/mysql> #include <abstractions/nameservice> #include <abstractions/ssl_certs> #include <abstractions/ssl_keys> capability chown, capability dac_override, capability fsetid, capability kill, capability net_bind_service, capability setuid, capability sys_chroot, capability sys_resource, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, /usr/bin/doveconf rix, /usr/lib/dovecot/anvil Px, /usr/lib/dovecot/auth Px, /usr/lib/dovecot/config Px, /usr/lib/dovecot/dict Px, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, /usr/lib/dovecot/lmtp Px, /usr/lib/dovecot/log Px, /usr/lib/dovecot/managesieve Px, /usr/lib/dovecot/managesieve-login Pxmr, /usr/lib/dovecot/pop3 Px, /usr/lib/dovecot/pop3-login Pxmr, /usr/lib/dovecot/ssl-build-param rix, /usr/lib/dovecot/ssl-params Px, /usr/sbin/dovecot mrix, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, /var/lib/dovecot/ w, /var/lib/dovecot/* rwkl, /var/spool/postfix/private/auth w, /var/spool/postfix/private/dovecot-lmtp w, /{,var/}run/dovecot/ rw, /{,var/}run/dovecot/** rw, link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.dovecot> } Profile usr.lib.dovecot.anvil: #include <tunables/global> /usr/lib/dovecot/anvil flags=(complain) { #include <abstractions/base> #include <abstractions/dovecot-common> capability setuid, capability sys_chroot, /usr/lib/dovecot/anvil mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.anvil> } To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
