dovecot imap-login profile missing inet6 access
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apparmor (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
| Precise |
Fix Released
|
Medium
|
Unassigned | ||
| apparmor (openSUSE) |
Fix Released
|
Medium
|
|||
Bug Description
the usr.lib.
inet
References: https:/
=== modified file 'profiles/
--- profiles/
+++ profiles/
@@ -11,6 +11,7 @@
capability sys_chroot,
network inet stream,
+ network inet6 stream,
/usr/
/{,var/
Related branches
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
I had some trouble with the AppArmor profiles for Dovecot. After running
aa-complain /usr/lib/
for a while, aa-logprof failed to create a working profile.
The relevant lines from /var/log/
type=AVC msg=audit(
After running aa-logconf, the profile did contain the line
network inet stream,
but what actually was needed was
network inet6 stream,
After adding this to the profile, everything works.
Reproducible: Always
The "network inet stream" is already in the packaged profile - in other words: it doesn't count ;-)
The problem is caused by a change in the logging format. See the upstream bugreport https:/
(just tested - logprof works if you delete the "lport=143" part)
Independent from that - are there other dovecot-related profiles that need an inet6 rule added? I'd guess usr.lib.
(In reply to comment #1)
> The "network inet stream" is already in the packaged profile - in other words:
> it doesn't count ;-)
Fair enough.
> The problem is caused by a change in the logging format. See the upstream
> bugreport https:/
> (just tested - logprof works if you delete the "lport=143" part)
Ouch! That's over 9 months old already. Any chance of fixing this?
> Independent from that - are there other dovecot-related profiles that need an
> inet6 rule added? I'd guess usr.lib.
> at least it already contains an inet rule.
I don't know, but I guess one would need this if using IPv6 to connect. Updates to sieve scripts on my system oddly enough will use 127.0.0.1, so these will be allowed by the existing rule. However, updating still fails:
Apr 5 23:08:34 mail dovecot: managesieve-login: Login: user=<arjen>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=9319, secured
Apr 5 23:08:34 mail dovecot: managesieve(arjen): Error: sieve-storage: open(/home/
Apr 5 23:08:35 mail dovecot: managesieve(arjen): Connection closed bytes=7979/489
I can make this work again by running /usr/sbin/dovecot in complain mode, but strangely enough this doesn't log anything in /var/log/
(In reply to comment #2)
> (In reply to comment #1)
> > The problem is caused by a change in the logging format. See the upstream
> > bugreport https:/
>
> Ouch! That's over 9 months old already. Any chance of fixing this?
AFAIK Steve is working on a patch already, so there's hope ;-)
> > Independent from that - are there other dovecot-related profiles that need an
> > inet6 rule added? I'd guess usr.lib.
> > at least it already contains an inet rule.
>
> I don't know, but I guess one would need this if using IPv6 to connect. Updates
> to sieve scripts on my system oddly enough will use 127.0.0.1,
Not ::1 ? ;-)
Seriously: allowing IPv6 isn't a big risk IMHO, so I'll propose it upstream.
> However, updating still fails:
> open(/home/
> failed: Permission denied
> I can make this work again by running /usr/sbin/dovecot in complain mode, but
> strangely enough this doesn't log anything in /var/log/
Indeed, that sounds really strange.
What happens if you add
/home/
to your dovecot profile and switch it back to enforce mode?
(In reply to comment #3)
> Indeed, that sounds really strange.
I found problem with aa-logprof failing to update the profile. It gets confused if you keep your backup copies in the same directory (which is understandable). After moving them out of the way, it worked as expected. :-)
> What happens if you add
> /home/arjen/
> to your dovecot profile and switch it back to enforce mode?
That almost worked. :-)
I added
/home/*/*.sieve rw,
/home/
/home/
and after that, I could update my sieve scripts again. But where sieve scripts are stored is probably going to be pretty site-specific, so I don't think this will be worth adding to the default profile.
Fixed upstream in lp:apparmor commit r2021
This bug was fixed in the package apparmor - 2.7.102-0ubuntu3
---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low
[ Jamie Strandboge ]
* debian/
to describe Ubuntu's two-stage policy load and how to add utilize it
when developing policy (LP: #974089)
[ Serge Hallyn ]
* debian/
removed once stacked profiles are supported and used by lxc.
(LP: #978297)
[ Steve Beattie ]
* debian/
for change_profile onexec (LP: #963756)
* debian/
debian/
to support the 'in' keyword for value lists, and make mount
operations aware of 'in' keyword so they can affect the flags build
list (LP: #959560)
* debian/
exec events in complain mode (LP: #872446)
* debian/
dovecot imap-login profile (LP: #978584)
* debian/
log parsing library from dropping apparmor network events that
contain ip addresses or ports in them (LP: #800826)
* debian/
syntax and usage in apparmor.d(5) manpage (LP: #979095)
* debian/
for profiles without attachment specification (LP: #963756,
LP: #978038)
* debian/
loading policy to kernels without compat patches (LP: #968956)
* debian/
grant access to /proc/attr api (LP: #979135)
-- Steve Beattie <email address hidden> 2012年4月12日 06:17:42 -0500
(In reply to comment #4)
> I added
>
> /home/*/*.sieve rw,
> /home/*
> /home/*
>
> and after that, I could update my sieve scripts again. But where sieve scripts
> are stored is probably going to be pretty site-specific, so I don't think this
> will be worth adding to the default profile.
Indeed, that makes things interesting[tm] ;-)
FYI: the main bug is fixed upstream (bzr r2022).
I also added the patch in home:cboltz (currently building) and will forward it to security:apparmor if it works as expected.
This is an autogenerated message for OBS integration:
This bug (755923) was mentioned in
https:/
Fixed in security:apparmor (where you can also find packages for 12.1) and factory.
I'll probably also submit an update for 12.1 when AppArmor 2.7.3 is released (whenever that is - there is no planned release date yet).