[pkg-apparmor] Bug#835826: Bug#835826: Bug#835826: apparmor-profiles: usr.lib.dovecot.imap issue?

Félix Sipma felix+debian at gueux.org
Fri Sep 2 11:20:01 UTC 2016 

Thanks to sarnold or #apparmor, I succeeded in having a usable
configuration. 

Here where the files (in /etc/apparmor.d/local/) I had to modify (see
attachements).

Thanks again!


On 2016-08-29 10:39-0700, Seth Arnold wrote:
> On Mon, Aug 29, 2016 at 09:01:08AM +0200, Félix Sipma wrote:
>> The logs are quite large... Here are the lines (only from the last minute)
>> without any "//null-*" in the profile name:
>> 
>> Aug 29 08:50:02 laptop kernel: audit_printk_skb: 1218 callbacks suppressed
>> Aug 29 08:50:07 laptop audit[27369]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27369 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>> Aug 29 08:50:07 laptop kernel: audit_printk_skb: 1218 callbacks suppressed
> 
> I suspect this computer is performing pretty poorly at this point, it
> looks like a few thousand AppArmor issues being ALLOWED each second.
> 
> A full repair is probably more than a bugmail should encourage; if you've
> got time to head to #apparmor on irc.oftc.net we'd be happy to walk you
> through fixing this up.
> 
> A quick first step would add:
> 
>  /etc/ld.so.preload r,
> 
> to the:
> 
>  /etc/apparmor.d/abstractions/base
> 
> file. (This change was recently made upstream: see
> http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3497
> for the patch.)
> 
> Then reload at least your dovecot imap profile, probably something like:
> 
> apparmor_parser --reload /etc/apparmor.d/usr.lib.dovecot.imap
> 
> Thanks


-------------- next part --------------
# Site-specific additions and overrides for usr.lib.dovecot.config.
# For more details, please see /etc/apparmor.d/local/README.

/usr/share/dovecot/** r,
-------------- next part --------------
# Site-specific additions and overrides for usr.lib.dovecot.imap.
# For more details, please see /etc/apparmor.d/local/README.

/usr/bin/doveconf rix,
/usr/lib/dovecot/imap rix,
/usr/share/dovecot/** r,
/etc/dovecot/dovecot.conf r,
/etc/dovecot/conf.d/** r,
/etc/dovecot/conf.d/ r,
-------------- next part --------------
# Site-specific additions and overrides for usr.lib.dovecot.auth.
# For more details, please see /etc/apparmor.d/local/README.

/run/dovecot/stats-user rw,
-------------- next part --------------
# Site-specific additions and overrides for usr.lib.dovecot.lmtp.
# For more details, please see /etc/apparmor.d/local/README.
@{HOME}/.dovecot.svbin r,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20160902/3cecb1fd/attachment.sig>

More information about the pkg-apparmor-team mailing list