dovecot imap-login profile missing inet6 access

Bug #978584 reported by Steve Beattie
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned
apparmor (openSUSE)
Fix Released
Medium

Bug Description

the usr.lib.dovecot.imap-login profile should allow inet6 in addition to
inet

References: https://bugzilla.novell.com/show_bug.cgi?id=755923

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login'
--- profiles/apparmor.d/usr.lib.dovecot.imap-login
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login
@@ -11,6 +11,7 @@
capability sys_chroot,

network inet stream,
+ network inet6 stream,

/usr/lib/dovecot/imap-login mr,
/{,var/}run/dovecot/login/ r,

Related branches

Revision history for this message

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

I had some trouble with the AppArmor profiles for Dovecot. After running

aa-complain /usr/lib/dovecot/imap-login

for a while, aa-logprof failed to create a working profile.

The relevant lines from /var/log/audit/audit.log indicated many instances of the following variety:

type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6

After running aa-logconf, the profile did contain the line

network inet stream,

but what actually was needed was

network inet6 stream,

After adding this to the profile, everything works.

Reproducible: Always

Revision history for this message

The "network inet stream" is already in the packaged profile - in other words: it doesn't count ;-)

The problem is caused by a change in the logging format. See the upstream bugreport https://bugs.launchpad.net/apparmor/+bug/800826
(just tested - logprof works if you delete the "lport=143" part)

Independent from that - are there other dovecot-related profiles that need an inet6 rule added? I'd guess usr.lib.dovecot.managesieve-login could need it - at least it already contains an inet rule.

Revision history for this message

(In reply to comment #1)

> The "network inet stream" is already in the packaged profile - in other words:
> it doesn't count ;-)

Fair enough.

> The problem is caused by a change in the logging format. See the upstream
> bugreport https://bugs.launchpad.net/apparmor/+bug/800826
> (just tested - logprof works if you delete the "lport=143" part)

Ouch! That's over 9 months old already. Any chance of fixing this?

> Independent from that - are there other dovecot-related profiles that need an
> inet6 rule added? I'd guess usr.lib.dovecot.managesieve-login could need it -
> at least it already contains an inet rule.

I don't know, but I guess one would need this if using IPv6 to connect. Updates to sieve scripts on my system oddly enough will use 127.0.0.1, so these will be allowed by the existing rule. However, updating still fails:

Apr 5 23:08:34 mail dovecot: managesieve-login: Login: user=<arjen>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=9319, secured
Apr 5 23:08:34 mail dovecot: managesieve(arjen): Error: sieve-storage: open(/home/arjen/sieve/tmp/ingo-1333660114.M954214P9319.mail.sieve) failed: Permission denied
Apr 5 23:08:35 mail dovecot: managesieve(arjen): Connection closed bytes=7979/489

I can make this work again by running /usr/sbin/dovecot in complain mode, but strangely enough this doesn't log anything in /var/log/audit/audit.log. But this is probably unrelated and will be something in the profile for /usr/sbin/dovecot.

Revision history for this message

(In reply to comment #2)
> (In reply to comment #1)
> > The problem is caused by a change in the logging format. See the upstream
> > bugreport https://bugs.launchpad.net/apparmor/+bug/800826
>
> Ouch! That's over 9 months old already. Any chance of fixing this?

AFAIK Steve is working on a patch already, so there's hope ;-)

> > Independent from that - are there other dovecot-related profiles that need an
> > inet6 rule added? I'd guess usr.lib.dovecot.managesieve-login could need it -
> > at least it already contains an inet rule.
>
> I don't know, but I guess one would need this if using IPv6 to connect. Updates
> to sieve scripts on my system oddly enough will use 127.0.0.1,

Not ::1 ? ;-)
Seriously: allowing IPv6 isn't a big risk IMHO, so I'll propose it upstream.

> However, updating still fails:

> open(/home/arjen/sieve/tmp/ingo-1333660114.M954214P9319.mail.sieve)
> failed: Permission denied

> I can make this work again by running /usr/sbin/dovecot in complain mode, but
> strangely enough this doesn't log anything in /var/log/audit/audit.log.

Indeed, that sounds really strange.
What happens if you add
/home/arjen/sieve/tmp/*.mail.sieve rw,
to your dovecot profile and switch it back to enforce mode?

Revision history for this message

(In reply to comment #3)

> Indeed, that sounds really strange.

I found problem with aa-logprof failing to update the profile. It gets confused if you keep your backup copies in the same directory (which is understandable). After moving them out of the way, it worked as expected. :-)

> What happens if you add
> /home/arjen/sieve/tmp/*.mail.sieve rw,
> to your dovecot profile and switch it back to enforce mode?

That almost worked. :-)

I added

/home/*/*.sieve rw,
/home/*/sieve/*.sieve w,
/home/*/sieve/tmp/*.sieve rw,

and after that, I could update my sieve scripts again. But where sieve scripts are stored is probably going to be pretty site-specific, so I don't think this will be worth adding to the default profile.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Fixed upstream in lp:apparmor commit r2021

Changed in apparmor (openSUSE):
importance: Unknown → Medium
status: Unknown → Incomplete
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
milestone: none → ubuntu-12.04
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3

---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low

[ Jamie Strandboge ]
* debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5)
to describe Ubuntu's two-stage policy load and how to add utilize it
when developing policy (LP: #974089)

[ Serge Hallyn ]
* debian/apparmor.init: do nothing in a container. This can be
removed once stacked profiles are supported and used by lxc.
(LP: #978297)

[ Steve Beattie ]
* debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping
for change_profile onexec (LP: #963756)
* debian/patches/0009-apparmor-lp959560-part1.patch,
debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser
to support the 'in' keyword for value lists, and make mount
operations aware of 'in' keyword so they can affect the flags build
list (LP: #959560)
* debian/patches/0011-apparmor-lp872446.patch: fix logprof missing
exec events in complain mode (LP: #872446)
* debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in
dovecot imap-login profile (LP: #978584)
* debian/patches/0013-apparmor-lp800826.patch: fix libapparmor
log parsing library from dropping apparmor network events that
contain ip addresses or ports in them (LP: #800826)
* debian/patches/0014-apparmor-lp979095.patch: document new mount rule
syntax and usage in apparmor.d(5) manpage (LP: #979095)
* debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec
for profiles without attachment specification (LP: #963756,
LP: #978038)
* debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when
loading policy to kernels without compat patches (LP: #968956)
* debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to
grant access to /proc/attr api (LP: #979135)
-- Steve Beattie <email address hidden> 2012年4月12日 06:17:42 -0500

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message

(In reply to comment #4)
> I added
>
> /home/*/*.sieve rw,
> /home/*/sieve/*.sieve w,
> /home/*/sieve/tmp/*.sieve rw,
>
> and after that, I could update my sieve scripts again. But where sieve scripts
> are stored is probably going to be pretty site-specific, so I don't think this
> will be worth adding to the default profile.

Indeed, that makes things interesting[tm] ;-)

FYI: the main bug is fixed upstream (bzr r2022).
I also added the patch in home:cboltz (currently building) and will forward it to security:apparmor if it works as expected.

Changed in apparmor (openSUSE):
status: Incomplete → Confirmed
Revision history for this message

This is an autogenerated message for OBS integration:
This bug (755923) was mentioned in
https://build.opensuse.org/request/show/113963 Factory / apparmor

Revision history for this message

Fixed in security:apparmor (where you can also find packages for 12.1) and factory.

I'll probably also submit an update for 12.1 when AppArmor 2.7.3 is released (whenever that is - there is no planned release date yet).

Changed in apparmor (openSUSE):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

AltStyle によって変換されたページ (->オリジナル) /