Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 920295

Summary: sec-policy/apparmor-profiles incompatible with dovecot service, upstream fix available
Product: Gentoo Linux Reporter: Mark <mark.morschhaeuser>
Component: Current packagesAssignee: The Gentoo Linux Hardened Team <hardened>
Status: UNCONFIRMED ---    
Severity: major CC: hardened
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Mark 2023-12-19 00:32:51 UTC 
The apparmor-profiles for dovecot contain policies for files in /usr/lib, but dovecot installs a couple of them to /usr/libexec instead.
This means dovecot breaks with apparmor.

Reproducible: Always

Steps to Reproduce:
1. Install and activate apparmor
2. Try to run dovecot
3. systemctl status dovecot and syslog show permission errors
Actual Results:  
service does not work due to denied permission because of wrong paths

Expected Results:  
The apparmor configuration should match the dovecot installation or vice versa.

There is an upstream fix from 4 months ago that did not make it into Gentoo yet: https://gitlab.com/apparmor/apparmor/-/commit/37ffc6eac80e174cb3f7613d9931e9ea38643f6e
It basically sets the path to /usr/lib*/ to match both possible paths because distros use them both.
This commit is included in apparmor-profiles tagged v4.0.0-alpha2 and newer which is not available on Gentoo.

The Gentoo fork of apparmor's git master branch can be installed via the 9999-ebuild with -vanilla flag but it has not merged this upstream commit, so it breaks too.
Installing the 9999 build with vanilla flag installs the real upstream master branch but that one fails to be parsed by apparmor on Gentoo.

Cherry-picking that commit from above fixes the issue: I downloaded the patch from gitlab and applied it with git apply -p2 dovecot.patch, restarted apparmor and dovecot and now dovecot runs.
Comment 1 Mark 2023-12-19 00:55:11 UTC 
ah, and while at it, we should add the following, otherwise dovecot cannot access   maildirs properly:

--- a/apparmor.d/local/usr.lib.dovecot.auth
+++ b/apparmor.d/local/usr.lib.dovecot.auth
@@ -1 +1,3 @@
 # Site-specific additions and overrides for 'usr.lib.dovecot.auth'
+/run/faillock/ rw,
+/run/faillock/* rw,
diff --git a/apparmor.d/local/usr.lib.dovecot.imap b/apparmor.d/local/usr.lib.dovecot.imap
index 24ca5e9..edb24ea 100644
--- a/apparmor.d/local/usr.lib.dovecot.imap
+++ b/apparmor.d/local/usr.lib.dovecot.imap
@@ -1 +1,4 @@
 # Site-specific additions and overrides for 'usr.lib.dovecot.imap'
+
+/home/*/.maildir/ rw,
+/home/*/.maildir/** rwlk,