OK, rejecting from Bionic then and setting Won't Fix. This can be
reconsidered if something new comes up.
** Changed in: apparmor (Ubuntu Bionic)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821
Title:
Dovecot and Apparmor complains at operation file_inherit
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in dovecot package in Ubuntu:
Fix Released
Status in apparmor source package in Bionic:
Won't Fix
Status in dovecot source package in Bionic:
Fix Released
Bug description:
[Impact]
Users report that while running dovecot there are some issues reported
by AppArmor, specifically regarding "file_inherit" operations:
Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/sbin/dovecot"
Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none
peer="/usr/lib/dovecot/anvil"
This is likely caused by an anonymous socket communication channel
between dovecot and anvil.
A fix in the dovecot AppArmor policy was already merged upstream
in commit 1ce8cd21, which is being backported in this SRU.
There was a change upstream that renamed the dovecot profile, so it was
necessary to make a small change on the backport to reference the
correct profile name.
[Test Plan]
Clone the qa-regression-testing repo
https://git.launchpad.net/qa-regression-testing
Setup the machine according to the instructions in the README.multipurpose-vm
- specifically the Email section.
Run the dovecot tests from the qa-regression-testing repo:
python3 ./script test-dovecot.py
After running the tests, check dmesg for no DENIED messages:
dmesg | grep DENIED
[Where problems could occur]
This update broadens the dovecot policy, so it won't to cause any
issues regarding a behavior that was previously allowed and it is now
denied.
In addition, the dovecot policy is already in complain mode in
bionic.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
