What's the user impact here please? Just noisy logs, or are users
impacted in a more meaningful way? The downside here is that a rebuild
of apparmor is going to result in virtually every Ubuntu Bionic user
having to download and install an update. The vast majority of whom
aren't using dovecot, or even those that are don't have this profile
enforcing, AIUI. And this is for Bionic which was released over four
years ago, with only one person reporting themselves as affected in that
time. Is this really worth an SRU?
At a minimum, I'd like a proper explanation of user impact please, and
then we can reconsider.
** Changed in: apparmor (Ubuntu Bionic)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821
Title:
Dovecot and Apparmor complains at operation file_inherit
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Expired
Status in dovecot package in Ubuntu:
Fix Released
Status in apparmor source package in Bionic:
Incomplete
Status in dovecot source package in Bionic:
Fix Released
Bug description:
[Impact]
Users report that while running dovecot there are some issues reported
by AppArmor, specifically regarding "file_inherit" operations:
Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/sbin/dovecot"
Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/lib/dovecot/anvil"
This is likely caused by an anonymous socket communication channel
between dovecot and anvil.
A fix in the dovecot AppArmor policy was already merged upstream
in commit 1ce8cd21, which is being backported in this SRU.
There was a change upstream that renamed the dovecot profile, so it was
necessary to make a small change on the backport to reference the
correct profile name.
[Test Plan]
Clone the qa-regression-testing repo
https://git.launchpad.net/qa-regression-testing
Setup the machine according to the instructions in the README.multipurpose-vm
- specifically the Email section.
Run the dovecot tests from the qa-regression-testing repo:
python3 ./script test-dovecot.py
After running the tests, check dmesg for no DENIED messages:
dmesg | grep DENIED
[Where problems could occur]
This update broadens the dovecot policy, so it won't to cause any
issues regarding a behavior that was previously allowed and it is now
denied.
In addition, the dovecot policy is already in complain mode in
bionic.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
