• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs Issues with AppArmor

B

B_P

Regular Pleskian
TITLE:
Issues with AppArmor
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk 17.5 Web Pro
Postfix+Dovecot
Ubuntu 16.04
PROBLEM DESCRIPTION:
When using a "normal" plesk setup with Postfix + Dovecot, AppArmor complains about some behavior of Dovecot.

Error messages in /var/log/syslog:

a) Login via IMAP / POP3:
Aug 20 12:59:35 srv kernel: [35761.155025] audit: type=1400 audit(1503226775.515:599): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/imap" pid=19812 comm="imap" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/imap-login"
Aug 20 12:59:35 srv kernel: [35761.155051] audit: type=1400 audit(1503226775.515:600): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/imap-login" pid=19812 comm="imap" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/imap"
Aug 20 12:59:35 srv kernel: [35761.220990] audit: type=1400 audit(1503226775.583:605): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/pop3" pid=19815 comm="pop3" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/pop3-login"
Aug 20 12:59:35 srv kernel: [35761.221012] audit: type=1400 audit(1503226775.583:606): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/pop3-login" pid=19815 comm="pop3" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/pop3"

b) Deleting files from the inbox:
Aug 20 12:46:30 srv kernel: [34975.986403] audit: type=1400 audit(1503225990.347:536): apparmor="ALLOWED" operation="link" profile="/usr/lib/dovecot/imap" name="/var/qmail/mailnames/domain.tld/user/Maildir/.Trash/tmp/1503225990.M282726P15860.srv.domain.tld" pid=15860 comm="imap" requested_mask="l" denied_mask="l" fsuid=30 ouid=30 target="/var/qmail/mailnames/domain.tld/user/Maildir/cur/1503225411.M418561P15574.srv.domain.tld,S=1401,W=1432:2,Sc"


c) Still unknown:
Aug 20 06:57:48 srv kernel: [14054.505556] audit: type=1400 audit(1503205068.868:303): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/auth" name="run/systemd/journal/dev-log" pid=8858 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0​
STEPS TO REPRODUCE:
For error messages in a): Use a remote e-mail client and connect / log in to the server via IMAP/POP3

and b): Obviously delete a file from the Inbox using IMAP.​
ACTUAL RESULT:
AppArmor complains about the activities as decribed above.​
EXPECTED RESULT:
AppArmor does not complain...​
ANY ADDITIONAL INFORMATION:
Potential steps to solve the issue:
Fix for a):
Potentially related to Bug #1512131 “Apparmor complains about multiple /run/dovecot fil...” : Bugs : apparmor package : Ubuntu

Add the line

network unix stream,

to the files /etc/apparmor.d/local/usr.lib.dovecot.{imap,imap-login,pop3,pop3-login}


Fix for b (delete mail):
change the lines in /etc/apparmor.d/local/user.lib.dovecot.{imap, pop3}
old:
/var/qmail/mailnames/** wrk,

new:
/var/qmail/mailnames/** rwkl,
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Help with sorting out
 
Old thread but the issues are still valid .Thanks @B_P for describing the fixes for a) and b). They worked for me.

c) occurs quite often in my setup. Always during processing emails that are being forwarded internally. I didn't find a solution yet. However, I don't have any knowledge about AppArmor (and don't want to have).
 
Is there any update on these issues? They even persist with Plesk 17.8.11!

Here's the messages I receive now:
Sep 13 23:46:34 srv kernel: [222467.860880] audit: type=1400 audit(1536875194.994:3058): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=21206 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 13 23:46:34 srv kernel: [222467.861047] audit: type=1400 audit(1536875194.994:3059): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=21206 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 13 23:46:34 srv kernel: [222467.861126] audit: type=1400 audit(1536875194.994:3060): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=21206 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 13 23:46:34 srv kernel: [222467.862982] audit: type=1400 audit(1536875194.994:3061): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=21206 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 13 23:46:35 srv kernel: [222467.867354] audit: type=1400 audit(1536875194.998:3062): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=21209 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot"
Sep 13 23:46:35 srv kernel: [222467.867364] audit: type=1400 audit(1536875194.998:3063): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=21209 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil"
Sep 13 23:59:05 srv kernel: [223218.645975] audit: type=1400 audit(1536875945.768:3349): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=21744 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot"
Sep 13 23:59:05 srv kernel: [223218.645986] audit: type=1400 audit(1536875945.768:3350): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=21744 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil"
Sep 13 23:59:05 srv kernel: [223218.656858] audit: type=1400 audit(1536875945.780:3351): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/etc/dhparams2048.pem" pid=21746 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Also, it now complains:
Sep 13 23:46:35 srv kernel: [222467.877660] audit: type=1400 audit(1536875195.010:3064): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/etc/dhparams2048.pem" pid=21211 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 13 23:46:36 srv kernel: [222468.943869] audit: type=1400 audit(1536875196.074:3065): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/plesk/passwd.db" pid=21214 comm="auth" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=112
Sep 14 00:37:20 srv dovecot: master: Fatal: execv(/usr/lib/dovecot/stats) failed: Permission denied
Sep 14 00:37:20 srv kernel: [225512.951318] audit: type=1400 audit(1536878240.046:3579): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap" name="/run/dovecot/stats-writer" pid=25693 comm="imap" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Sep 14 00:37:20 srv kernel: [225512.951353] audit: type=1400 audit(1536878240.046:3580): apparmor="ALLOWED" operation="file_perm" profile="/usr/lib/dovecot/imap" name="/run/dovecot/stats-writer" pid=25693 comm="imap" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 14 00:37:20 srv kernel: [225512.951359] audit: type=1400 audit(1536878240.046:3581): apparmor="ALLOWED" operation="file_perm" profile="/usr/lib/dovecot/imap" name="/run/dovecot/stats-writer" pid=25693 comm="imap" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 14 00:37:20 srv dovecot: stats: Fatal: master: service(stats): child 25694 returned error 84 (exec() failed)
Sep 14 00:45:25 srv kernel: [225998.704281] audit: type=1400 audit(1536878725.796:3599): apparmor="ALLOWED" operation="exec" info="profile transition not found" error=-13 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=25850 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/dovecot/stats"

This also partly relates to the issue reported here Issue - AppArmor Issues but never received a response!

It would be nice to receive a workaround rather than having to wait more than a few months for an appropriate Microupdate!​
 
Last edited:
B_P said:
Is there any update on these issues? They even persist with Plesk 17.8.11!
Click to expand...
Thank you for notification. Mentioned bugreport is still under developer's investigation. I have updated it with your case.
 
It is almost 2020 and the issues are still existing. Even with Ubuntu 18.04. and Plesk 18.0.21, the same errors are flooding my logs over and over again.

This is very frustrating after 2,5 years after the issue was reported first.
 
Any news about this ?

Code: 
Apr  5 00:33:34 astra4217 kernel: [245803.793775] audit: type=1400 audit(1680644014.676:3347): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/var/certificates/scfjjCEoT" pid=11821 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr  5 00:33:34 astra4217 kernel: [245803.794306] audit: type=1400 audit(1680644014.676:3348): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/var/certificates/scf4nhs9p" pid=11821 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr  5 00:33:34 astra4217 kernel: [245803.794356] audit: type=1400 audit(1680644014.676:3349): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/var/certificates/scf4nhs9p" pid=11821 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr  5 00:33:34 astra4217 kernel: [245803.794883] audit: type=1400 audit(1680644014.676:3350): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/var/certificates/scfn8fZXC" pid=11821 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 
AppArmor is not a Plesk component. You are asking for a solution of an issue that is caused by a component that is neither delivered with Plesk, nor officially supported. According to Bug #1512131 “Apparmor complains about multiple /run/dovecot fil...” : Bugs : apparmor package : Ubuntu the behavior is a bug in Ubuntu and ought to not occur in their latest release as it is mentioned as "fixed" there.

One suggested fix for older Unbuntu is to add the line network unix stream to the files /etc/apparmor.d/local/usr.lib.dovecot.{imap,imap-login,pop3,pop3-login}, but I cannot predict whether this will fix the situation on your system.
 
You must log in or register to reply here.

Similar threads

M
Question kenrnel audit messages in syslog
Replies
2
Views
277
Kaspar@Plesk
Kaspar@Plesk
S
Question Fehler audit: type=1400 audit(1701591128.869:160162): apparmor="ALLOWED" operation="sendmsg" profile="php-fpm" name="/run/systemd/notify" pid=448788
Replies
1
Views
1K
Flachzange
F
K
Issue Apparmor denied named
Replies
5
Views
3K
LarsenD
L
E
Resolved /etc/named.conf: permission denied
Replies
1
Views
3K
Erwan
E
tkalfaoglu
Resolved How to stop all these audit messages?
Replies
1
Views
2K
tkalfaoglu
tkalfaoglu
Back
Top