<html>
<head>
</head>
<body class='hmmessage'><div dir='ltr'>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr"><font face="Arial,sans-serif" color="#000000"><div><span style="font-size: 12pt;">Hi,</span></div><div><span style="font-size: 12pt;"><br></span></div><div><span style="font-size: 12pt;">The grep for DEN produced nothing. </span></div><div><br></div><div>To get dovecot running I have to strip out all of the profiles relating to it from apparmor.d and reboot then dovecot runs. After restoring the profiles and restarting <span style="font-size: 12pt;"> /var/log/syslog has the following relating to this:</span></div><div><br></div><div><div><span style="font-size: 12pt;">Nov 6 20:54:35 sapient dovecot[10214]: Starting IMAP/POP3 mail server: dovecot.</span></div><div>Nov 6 20:54:35 sapient dovecot: master: Dovecot v2.2.13 starting up for imap (core dumps disabled)</div><div>Nov 6 20:54:35 sapient dovecot: master: Fatal: execv(/usr/lib/dovecot/log) failed: No such file or directory</div><div>Nov 6 20:54:35 sapient dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secs</div><div>Nov 6 20:54:35 sapient dovecot: master: Error: service(log): child 10221 returned error 84 (exec() failed)</div><div>Nov 6 20:54:35 sapient dovecot: master: Error: service(log): command startup failed, throttling for 2 secs</div><div>Nov 6 20:54:35 sapient dovecot: master: Error: service(ssl-params): command startup failed, throttling for 2 secs</div><div>Nov 6 20:54:35 sapient kernel: [42231.270063] audit_printk_skb: 126 callbacks suppressed</div><div>Nov 6 20:54:35 sapient kernel: [42231.270065] audit: type=1400 audit(1415307275.701:98): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/anvil" pid=10220 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0</div><div>Nov 6 20:54:35 sapient kernel: [42231.270125] audit: type=1400 audit(1415307275.701:99): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/log" pid=10221 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0</div><div>Nov 6 20:54:35 sapient kernel: [42231.270179] audit: type=1400 audit(1415307275.701:100): apparmor="ALLOWED" operation="exec" info="profile not found" error=-2 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/ssl-params" pid=10222 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0</div></div><div><br></div></font><div>A ps -ef | dovecot with profiles in place produces this:</div><div><br></div><div><div>root 10219 1 0 20:54 ? 00:00:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf</div></div><div><br></div><div>The same without the profiles produces:</div><div><br></div><div><div>root 1799 1 0 21:04 ? 00:00:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf</div><div>dovecot 1800 1799 0 21:04 ? 00:00:00 dovecot/anvil</div><div>root 1801 1799 0 21:04 ? 00:00:00 dovecot/log</div><div>root 1803 1799 0 21:04 ? 00:00:00 dovecot/config</div></div><div><br></div><div>Should dovecot/anvil and dovecot/log also have profiles? <br><br>The (system installed) apparmor profile for dovecot is:</div><div><br></div><div><div># ------------------------------------------------------------------</div><div>#</div><div># Copyright (C) 2009-2013 Canonical Ltd.</div><div># Copyright (C) 2011-2013 Christian Boltz</div><div>#</div><div># This program is free software; you can redistribute it and/or</div><div># modify it under the terms of version 2 of the GNU General Public</div><div># License published by the Free Software Foundation.</div><div>#</div><div># ------------------------------------------------------------------</div><div># vim: ft=apparmor</div><div><br></div><div>#include <tunables/global></div><div><br></div><div>/usr/sbin/dovecot flags=(complain) {</div><div> #include <abstractions/authentication></div><div> #include <abstractions/base></div><div> #include <abstractions/mysql></div><div> #include <abstractions/nameservice></div><div> #include <abstractions/ssl_certs></div><div> #include <abstractions/ssl_keys></div><div><br></div><div> capability chown,</div><div> capability dac_override,</div><div> capability fsetid,</div><div> capability kill,</div><div> capability net_bind_service,</div><div> capability setgid,</div><div> capability setuid,</div><div> capability sys_chroot,</div><div><br></div><div> /etc/dovecot/** r,</div><div> /etc/mtab r,</div><div> /etc/lsb-release r,</div><div> /etc/SuSE-release r,</div><div> @{PROC}/@{pid}/mounts r,</div><div> @{PROC}/filesystems r,</div><div> /usr/bin/doveconf rix,</div><div> /usr/lib/dovecot/anvil Px,</div><div> /usr/lib/dovecot/auth Px,</div><div> /usr/lib/dovecot/config Px,</div><div> /usr/lib/dovecot/dict Px,</div><div> /usr/lib/dovecot/dovecot-auth Pxmr,</div><div> /usr/lib/dovecot/imap Pxmr,</div><div> /usr/lib/dovecot/imap-login Pxmr,</div><div> /usr/lib/dovecot/lmtp Px,</div><div> /usr/lib/dovecot/log Px,</div><div> /usr/lib/dovecot/managesieve Px,</div><div> /usr/lib/dovecot/managesieve-login Pxmr,</div><div> /usr/lib/dovecot/pop3 Px,</div><div> /usr/lib/dovecot/pop3-login Pxmr,</div><div> /usr/lib/dovecot/ssl-build-param rix,</div><div> /usr/lib/dovecot/ssl-params Px,</div><div> /usr/sbin/dovecot mrix,</div><div> /usr/share/dovecot/protocols.d/ r,</div><div> /usr/share/dovecot/protocols.d/** r,</div><div> /var/lib/dovecot/ w,</div><div> /var/lib/dovecot/* rwkl,</div><div> /var/spool/postfix/private/auth w,</div><div> /var/spool/postfix/private/dovecot-lmtp w,</div><div> /{,var/}run/dovecot/ rw,</div><div> /{,var/}run/dovecot/** rw,</div><div> link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,</div><div><br></div><div> # Site-specific additions and overrides. See local/README for details.</div><div> #include <local/usr.sbin.dovecot></div><div>}</div></div><div><br></div><div>Im a developer myself so happy to help with as much info as required.</div><div><br></div></div>
</div></body>
</html>