Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 813855 - sec-policy/apparmor-profiles-3.0.1 uses the wrong path for dovecot and lacks rules for /usr/bin/doveadm
Summary: sec-policy/apparmor-profiles-3.0.1 uses the wrong path for dovecot and lacks ...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-19 12:41 UTC by J.O. Aho
Modified: 2024-02-14 09:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description J.O. Aho 2021-09-19 12:41:45 UTC 
The dovecot profiles in the sec-policy/apparmor-profiles-3.0.1 assumes that there is a directory /usr/lib/dovecot with a number of binaries, but in Gentoo's dovecot ebuild all those failes are placed in /usr/libexec/dovecot

When you start dovecot you will encounter the following error in /var/log/audit.log:

Sep 15 05:11:02 server kernel: [ 1665.593023] audit: type=1400 audit(1631682662.261:278): apparmor="DENIED" operation="exec" profile="dovecot" name="/usr/bin/doveadm" pid=5288 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

as the doveadm ain't configured in the dovecot profiles. Adding it manually to the dovecot profile with ux you will then get issues with all the other exec that are assumed to be in /usr/lib/dovecot but are in /usr/libexec/dovecot for example:

Sep 19 11:22:08 server kernel: [369518.485303] audit: type=1400 audit(1632050528.564:705): apparmor="DENIED" operation="exec" profile="dovecot" name="/usr/libexec/dovecot/managesieve" pid=8493 comm="doveconf" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Sep 19 11:22:08 server kernel: [369518.503613] audit: type=1400 audit(1632050528.584:706): apparmor="DENIED" operation="exec" profile="dovecot" name="/usr/libexec/dovecot/managesieve" pid=8497 comm="doveconf" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Modifying the profiles to use the path /usr/libexec/dovecot and giving doveadm exec permission (and restarted apparmor) things works as expected.

Reproducible: Always

Steps to Reproduce:
(assuming that apparmor already build into kernel and activated)
1. emerge sec-policy/apparmor-profiles net-mail/dovecot
2. /etc/init.d/apparmor start
3. /etc/init.d/dovecot start

Actual Results:  
Sep 15 05:11:02 server kernel: [ 1665.593023] audit: type=1400 audit(1631682662.261:278): apparmor="DENIED" operation="exec" profile="dovecot" name="/usr/bin/doveadm" pid=5288 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Expected Results:  
Expected that dovecot would start without faults.

Sure you can add rules in the local/ files, but IMHO this shouldn't be done when you have a default install of an application.

My dovecot has the following USE flags:
bzip2 caps ipv6 lucene managesieve mysql pam rpc sieve solr zlib lua5-1

My apparmor-profiles do not have any USE flags set.
Comment 1 Peter Levine 2023-08-03 05:21:44 UTC 
Upstream PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1080