Package: msmtp
Version: 1.8.23
Debian version: 12.11
Linux kernel: 6.1.0-31-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.128-1
(2025-02-07) x86_64 GNU/Linux
Sending a mail using msmtp with gssapi authentication while apparmor is enabled
fails because the file /etc/gssapi_mech.conf is not readable in msmtp apparmor
profile.
$ cat message.txt | msmtp --read-envelope-from --read-recipients --tls=on
--auth=gssapi --host=XXX --port=25 --user=XXX
warning: unable to open /etc/gssapi_mech.conf: errno 13 (Permission denied)
msmtp: GNU SASL: GSSAPI error in client while negotiating security context in
gss_init_sec_context() in SASL library. This is most likely due to insufficient
credentials or malicious interactions.
msmtp: could not send mail
$ ls -l /etc/gssapi_mech.conf
-rw-r--r-- 1 root root 834 Aug 16 2022 /etc/gssapi_mech.conf
$ cat /etc/gssapi_mech.conf
# Example /etc/gssapi_mech.conf file
#
# GSSAPI Mechanism Definitions
[...]
Corresponding audit log:
AVC apparmor="DENIED" operation="open" profile="msmtp"
name="/etc/gssapi_mech.conf" pid=1759102 comm="msmtp" requested_mask="r"
denied_mask="r" fsuid=5022 ouid=0
The msmtp package depends on libgsasl18, which depends on libgssglue1 which
provides the /etc/gssapi_mech.conf file.
Allowing msmtp to read this file in its apparmor profiles fixes the issue.
/etc/apparmor.d/usr.bin.msmtp:
[...]
# kerberos related
/tmp/{,.}krb5cc_* rwk,
/etc/gss/mech.d/ r,
/etc/gss/mech.d/** r,
+ /etc/gssapi_mech.conf r,
[...]
Thank you,
--
Louis
