Forwarded to devs Issues with AppArmor

[B_P]

TITLE:

Issues with AppArmor​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk 17.5 Web Pro
Postfix+Dovecot
Ubuntu 16.04​

PROBLEM DESCRIPTION:

When using a "normal" plesk setup with Postfix + Dovecot, AppArmor complains about some behavior of Dovecot.

Error messages in /var/log/syslog:

a) Login via IMAP / POP3:
Aug 20 12:59:35 srv kernel: [35761.155025] audit: type=1400 audit(1503226775.515:599): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/imap" pid=19812 comm="imap" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/imap-login"
Aug 20 12:59:35 srv kernel: [35761.155051] audit: type=1400 audit(1503226775.515:600): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/imap-login" pid=19812 comm="imap" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/imap"
Aug 20 12:59:35 srv kernel: [35761.220990] audit: type=1400 audit(1503226775.583:605): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/pop3" pid=19815 comm="pop3" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/pop3-login"
Aug 20 12:59:35 srv kernel: [35761.221012] audit: type=1400 audit(1503226775.583:606): apparmor="ALLOWED" operation="file_receive" profile="/usr/lib/dovecot/pop3-login" pid=19815 comm="pop3" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/pop3"

b) Deleting files from the inbox:
Aug 20 12:46:30 srv kernel: [34975.986403] audit: type=1400 audit(1503225990.347:536): apparmor="ALLOWED" operation="link" profile="/usr/lib/dovecot/imap" name="/var/qmail/mailnames/domain.tld/user/Maildir/.Trash/tmp/1503225990.M282726P15860.srv.domain.tld" pid=15860 comm="imap" requested_mask="l" denied_mask="l" fsuid=30 ouid=30 target="/var/qmail/mailnames/domain.tld/user/Maildir/cur/1503225411.M418561P15574.srv.domain.tld,S=1401,W=1432:2,Sc"


c) Still unknown:
Aug 20 06:57:48 srv kernel: [14054.505556] audit: type=1400 audit(1503205068.868:303): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/auth" name="run/systemd/journal/dev-log" pid=8858 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0​

STEPS TO REPRODUCE:

For error messages in a): Use a remote e-mail client and connect / log in to the server via IMAP/POP3

and b): Obviously delete a file from the Inbox using IMAP.​

ACTUAL RESULT:

AppArmor complains about the activities as decribed above.​

EXPECTED RESULT:

AppArmor does not complain...​

ANY ADDITIONAL INFORMATION:

Potential steps to solve the issue:
Fix for a):
Potentially related to Bug #1512131 “Apparmor complains about multiple /run/dovecot fil...” : Bugs : apparmor package : Ubuntu

Add the line

network unix stream,

to the files /etc/apparmor.d/local/usr.lib.dovecot.{imap,imap-login,pop3,pop3-login}


Fix for b (delete mail):
change the lines in /etc/apparmor.d/local/user.lib.dovecot.{imap, pop3}
old:
/var/qmail/mailnames/** wrk,

new:
/var/qmail/mailnames/** rwkl,​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Help with sorting out​

 

[B_P]

Also, we still need to find a solution for c)...

 

[Flachzange]

Old thread but the issues are still valid .Thanks @B_P for describing the fixes for a) and b). They worked for me.

c) occurs quite often in my setup. Always during processing emails that are being forwarded internally. I didn't find a solution yet. However, I don't have any knowledge about AppArmor (and don't want to have).

 

[IgorG]

Thank you for report. It was submitted as PPPM-8028

 

[B_P]

Is there any update on these issues? They even persist with Plesk 17.8.11!

Here's the messages I receive now:

Sep 13 23:46:34 srv kernel: [222467.860880] audit: type=1400 audit(1536875194.994:3058): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=21206 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 13 23:46:34 srv kernel: [222467.861047] audit: type=1400 audit(1536875194.994:3059): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=21206 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 13 23:46:34 srv kernel: [222467.861126] audit: type=1400 audit(1536875194.994:3060): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=21206 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 13 23:46:34 srv kernel: [222467.862982] audit: type=1400 audit(1536875194.994:3061): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=21206 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 13 23:46:35 srv kernel: [222467.867354] audit: type=1400 audit(1536875194.998:3062): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=21209 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot"
Sep 13 23:46:35 srv kernel: [222467.867364] audit: type=1400 audit(1536875194.998:3063): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=21209 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil"
Sep 13 23:59:05 srv kernel: [223218.645975] audit: type=1400 audit(1536875945.768:3349): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=21744 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot"
Sep 13 23:59:05 srv kernel: [223218.645986] audit: type=1400 audit(1536875945.768:3350): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=21744 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil"
Sep 13 23:59:05 srv kernel: [223218.656858] audit: type=1400 audit(1536875945.780:3351): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/etc/dhparams2048.pem" pid=21746 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
​

Also, it now complains:

Sep 13 23:46:35 srv kernel: [222467.877660] audit: type=1400 audit(1536875195.010:3064): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/etc/dhparams2048.pem" pid=21211 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 13 23:46:36 srv kernel: [222468.943869] audit: type=1400 audit(1536875196.074:3065): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/auth" name="/var/spool/postfix/plesk/passwd.db" pid=21214 comm="auth" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=112
Sep 14 00:37:20 srv dovecot: master: Fatal: execv(/usr/lib/dovecot/stats) failed: Permission denied
Sep 14 00:37:20 srv kernel: [225512.951318] audit: type=1400 audit(1536878240.046:3579): apparmor="ALLOWED" operation="connect" profile="/usr/lib/dovecot/imap" name="/run/dovecot/stats-writer" pid=25693 comm="imap" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Sep 14 00:37:20 srv kernel: [225512.951353] audit: type=1400 audit(1536878240.046:3580): apparmor="ALLOWED" operation="file_perm" profile="/usr/lib/dovecot/imap" name="/run/dovecot/stats-writer" pid=25693 comm="imap" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 14 00:37:20 srv kernel: [225512.951359] audit: type=1400 audit(1536878240.046:3581): apparmor="ALLOWED" operation="file_perm" profile="/usr/lib/dovecot/imap" name="/run/dovecot/stats-writer" pid=25693 comm="imap" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 14 00:37:20 srv dovecot: stats: Fatal: master: service(stats): child 25694 returned error 84 (exec() failed)
Sep 14 00:45:25 srv kernel: [225998.704281] audit: type=1400 audit(1536878725.796:3599): apparmor="ALLOWED" operation="exec" info="profile transition not found" error=-13 profile="/usr/sbin/dovecot" name="/usr/lib/dovecot/stats" pid=25850 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/dovecot/stats"

This also partly relates to the issue reported here Issue - AppArmor Issues but never received a response!

It would be nice to receive a workaround rather than having to wait more than a few months for an appropriate Microupdate!​

 

[IgorG]

Is there any update on these issues? They even persist with Plesk 17.8.11!

Thank you for notification. Mentioned bugreport is still under developer's investigation. I have updated it with your case.

 

[B_P]

A kind reminder...

 

[B_P]

c) might be related to this thread: [apparmor] base abstraction for writing to systemd dev-log doesn't work

 

[Flachzange]

It is almost 2020 and the issues are still existing. Even with Ubuntu 18.04. and Plesk 18.0.21, the same errors are flooding my logs over and over again.

This is very frustrating after 2,5 years after the issue was reported first.

 

[Tavy]

Any news about this ?

Apr  5 00:33:34 astra4217 kernel: [245803.793775] audit: type=1400 audit(1680644014.676:3347): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/var/certificates/scfjjCEoT" pid=11821 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr  5 00:33:34 astra4217 kernel: [245803.794306] audit: type=1400 audit(1680644014.676:3348): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/var/certificates/scf4nhs9p" pid=11821 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr  5 00:33:34 astra4217 kernel: [245803.794356] audit: type=1400 audit(1680644014.676:3349): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/var/certificates/scf4nhs9p" pid=11821 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr  5 00:33:34 astra4217 kernel: [245803.794883] audit: type=1400 audit(1680644014.676:3350): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/config" name="/opt/psa/var/certificates/scfn8fZXC" pid=11821 comm="config" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

 

[Peter Debik]

AppArmor is not a Plesk component. You are asking for a solution of an issue that is caused by a component that is neither delivered with Plesk, nor officially supported. According to Bug #1512131 “Apparmor complains about multiple /run/dovecot fil...” : Bugs : apparmor package : Ubuntu the behavior is a bug in Ubuntu and ought to not occur in their latest release as it is mentioned as "fixed" there.

One suggested fix for older Unbuntu is to add the line network unix stream to the files /etc/apparmor.d/local/usr.lib.dovecot.{imap,imap-login,pop3,pop3-login}, but I cannot predict whether this will fix the situation on your system.