How to adjust Apparmor for /usr/lib/dovecot/dovecot-lda

I am new to AppArmor and trying to work out how to configure it for the dovecot-lda. I need to do this as I am using filtering and vacation responses in Dovecot and apparmor is blocking two in two ways:

  1. It blocks access to /home//.dovecot.lda-dupes .dovecot.lda-dupes.lock .dovecot.sieve.log .dovecot.svbin with permission denied.

  2. It blocks /usr/sbin/postdrop from executing again with permission denied.

Disabling apparmor completely fixes it but I now feel I want to keep apparmor active.

Re enabling apparmor and moving /usr/lib/dovecot/dovecot-lda from ‘enforce’ to ‘complain’ did not prevent the failures.

I also found a suggestion on the web that the following should be put into /etc/apparmor.d/local/usr.lib.dovecot.lmtp:

#include <abstractions/postfix-common>


/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,


owner /home/*/.dovecot.lda-dupes rw,
owner /home/*/.dovecot.lda-dupes.lock rw,
owner /home/*/.dovecot.sieve.log rw,
owner /home/*/.dovecot.svbin* rw,
owner /var/spool/postfix/maildrop/* rw,


This also did not help and the errors continued (note: I had to comment out the “/usr/sbin/sendmail mrix” as this caused apparmor to error out.

Going through the audit logs in YaST apparmor has seen the accesses to the home directory but not seen the sendmail/postdrop access blocks.

I have not used YaST to update the profile until I know what I am doing and have simply now disabled dovecot-lda via aa-disable and for the time being all is working well.

My question is. How should I be going about fixing this correctly? Should I be using YaST but it’s not picking up all the problems or should I be editing either the profile or the local profile?

Thanks for any help or pointers on this.

There is comprehensive documentation: Confining privileges with AppArmor | Security and Hardening Guide | openSUSE Leap 15.5

is it full content of this file? It is not going to work as profile name is missing.

It was in the ./local/ folder so I assumed it is included and pulled in via the following line in /etc/apparmor.d/usr.lib.dovecot.lmtp:

  #include <local/usr.lib.dovecot.dovecot-lda>

as this is within the main body of the file I assumed it was OK.

My local file contains:

/usr/sbin/sendmail mrix,

and the main file has:

  /usr/{bin,sbin}/sendmail Cx -> sendmail,

followed by a profile called “sendmail” later in the file but that definition does not work for what I want. Is there a syntax to essentially undefine this line so I can use my own definition from my local file?

This line says to include file /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda. What made you assume it would include file /etc/apparmor.d/local/usr.lib.dovecot.lmtp instead?

My local file contains

Which local file?

/usr/sbin/sendmail mrix,

and the main file has:

  /usr/{bin,sbin}/sendmail Cx -> sendmail,

followed by a profile called “sendmail” later in the file but that definition does not work for what I want.

Why you expect this profile to be used? So far you never mentioned what binary you are using.

Is there a syntax to essentially undefine this line so I can use my own definition from my local file?

I have no idea how dovecot works, what programs it invokes and how they are called. If you tell what program needs to be allowed what action (open file, invoke other program, etc) there are better chances someone may help. Otherwise you will really need to wait for dovecot expert to visit this forum.

My cut/paste error. The I am indeed using /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda and not /etc/apparmor.d/local/usr.lib.dovecot.lmtp. So the files do match up. I refer to this as my local file as I believe this is where local changes should be made.

I am not trying to create a profile from scratch but to extend an existing one that is not allowing dovecot to forward emails. Hence the use of /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda

dovcot invokes sendmail and sendmail in turn invokes maildrop. Hence the code I found on net of:

#include <abstractions/postfix-common>


/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,

looked sensible and so added it to /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda

When I run:

systemctl reload apparmor

I get the error and line from “journalctl -xe”:

Job for apparmor.service failed.
See "systemctl status apparmor.service" and "journalctl -xe" for details.

profile dovecot-dovecot-lda: has merged rule /usr/{bin,sbin}/sendmail with conflicting x mo......

Looking in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda I see a sub-profile for sendmail:

  /usr/{bin,sbin}/sendmail Cx -> sendmail,

Followed by a profile definition of sendmail within the main dovecot-dovecot-lda profile.

I want to essentially replace this by using /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda as the source of my code to modify the stock profile provided by /etc/apparmor.d/usr.lib.dovecot.dovecot-lda.

The structure of the file /etc/apparmor.d/usr.lib.dovecot.dovecot-lda is :

profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
 ....
 /usr/{bin,sbin}/sendmail Cx -> sendmail,
 ....
  include if exists <local/usr.lib.dovecot.dovecot-lda>

  profile sendmail /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
    ....
    ....
  }
}

I now have this working correctly. It seems that there is an error /etc/apparmor.d/usr.lib.dovecot.dovecot-lda if you want to use either “sieve” filtering or mailing out (vacation notice or mail redirection out of the server) of a sieve filter.

I know too little about apparmor to know why it fails but I have found that I have to comnet out:

 
/usr/{bin,sbin}/sendmail Cx -> sendmail,

in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda.

Then I have to have:

 
# Site-specific additions and overrides for 'usr.lib.dovecot.dovecot-lda'


include <abstractions/postfix-common>
/usr/{bin,sbin}/postdrop mrix,
/usr/{bin,sbin}/sendmail mrix,


owner /home/*/.dovecot.lda-dupes rw,
owner /home/*/.dovecot.lda-dupes.lock rw,
owner /home/*/.dovecot.sieve.log rw,
owner /home/*/.dovecot.svbin* rw,
owner /var/spool/postfix/maildrop/* rw,

in /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda.

This was tested on Tumbelweed and I also notice that Tumbleweed and Leap 15.2 have different syntax for the include directive Leap uses “#include” but Tumbleweed uses just “include”.

Are you sure it is the syntax and that it isn’t simply commented out (because of not needed in the default situation)?

Picking an apparmor file that I have not touched on either system - /etc/apparmor.d/usr.lib.dovecot.auth

Leap 15.2 has:

# ------------------------------------------------------------------
#
#    Copyright (C) 2013-2018 Christian Boltz
#    Copyright (C) 2014 Christian Wittmer
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor


#include <tunables/global>


/usr/lib/dovecot/auth {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/mysql>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/wutmp>
  #include <abstractions/dovecot-common>

Tumbleweeed has:

# ------------------------------------------------------------------
#
#    Copyright (C) 2013-2020 Christian Boltz
#    Copyright (C) 2014 Christian Wittmer
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor


abi <abi/3.0>,


include <tunables/global>


profile dovecot-auth /usr/lib/dovecot/auth {
  include <abstractions/authentication>
  include <abstractions/base>
  include <abstractions/mysql>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/wutmp>
  include <abstractions/dovecot-common>

Can’t imagine why so much would have been commented out in Leap

I do not know why, but the # is certainly making it comment.

Both “include” and “#include” are valid.

It would be error if it contained reference to sieve filtering that did not work. Currently it is missing feature. Care to open bug report on openSUSE bugzilla to make developers aware of it?

I have to comnet out:

 
/usr/{bin,sbin}/sendmail Cx -> sendmail,

in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda.

This effectively breaks sendmail. And dovecot LDA may need to use sendmail to send (non-)delivery notifications, at least by default.

And of course this change will be lost next time apparmor is updated.

Then I have to have:

 
# Site-specific additions and overrides for 'usr.lib.dovecot.dovecot-lda'

include <abstractions/postfix-common>
/usr/{bin,sbin}/postdrop mrix,
/usr/{bin,sbin}/sendmail mrix,

in /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda.

How sendmail is related to sieve filtering? Why do you need it? What this line does? Have you seen any complaints about sendmail in apparmor logs?

That is very strange, because I see there a lot of lines starting with # that are obvious comments. Sorry for not understanding that (still do not understand such a syntax).

If you use dovcot to do local mail delivery (i.e. you are running a local IMAP server) you have the option of filtering the email with ‘sieve’ which is a scripting language (I hope I have the term right here). With sieve you can redirect emails to external email addresses or set a vacation response. Both of these scenarios cause sendmail to be called … as I have postfix as my MTA postfix calls postdrop.

The default /etc/apparmor.d/usr.lib.dovecot.dovecot-lda is clearly trying to allow sendmail to gain permission but fails. I get errors in in the mail logs but using YaST I get nothing in apparmor. I did get warnings about accessing the sieve local files in my home directory.

As previously said, I don’t want to edit /etc/apparmor.d/usr.lib.dovecot.dovecot-lda as an update to apparor will negate the edit.

Do you still want me to file a bug?

Agreed - try and comment out an “include …” with a “#” and find that it’s still included. Cost me a lot of head scratching>:(:wink:

Yes, very strange indeed. I do not know where that is documented, but I wonder what then is comment in this configuration file and what is the syntactic difference between

#    Copyright (C) 2013-2018 Christian Boltz

and

#include <tunables/global>

But hey, I do not use Apparmor, so it is only of academic interest to me.

Lines starting with # are comments - with the exception of #include.

include and #include have the same meaning in AppArmor profiles - they both include the specified file.

Historically, #include was used (similar to the #include keyword in C), but as this thread confirmed, this can cause confusion with comments. Therefore newer AppArmor versions (starting with 3.0) switched to include which is less confusing, and doesn’t look like a comment.

This threads only confirms that having lines starting with a # being sometimes comments and sometimes not does indeed cause confusion. So IMHO it is worse as it was.

I do not know if before there was a possibility to provide comments, but I assume that when it was it was NOT by starting it with a #.

So only because some people thought that the “comments start with a #” is universal, which is rather stupid, they introduced confusion.:idea:

In case anyone lands hear by searching in the future, I did get a resolution/solution by filing a bug as suggested (Bug 1181692 - https://bugzilla.opensuse.org/show_bug.cgi?id=1181692).

The solution is in two parts:

To make sieve work add the following to /etc/apparmor.d/local/usr.lib.dovecot.dovecot-lda:

owner /home/*/.dovecot.lda-dupes rw,
owner /home/*/.dovecot.lda-dupes.lock rw,
owner /home/*/.dovecot.sieve.log rw,
owner /home/*/.dovecot.svbin* rw,
owner /var/spool/postfix/maildrop/* rw,

This makes the sieve working files accessible for read and write within the profile.

To prevent the postdrop error

sendmail: fatal: execvp /usr/sbin/postdrop: Permission denied

I copied /usr/share/apparmor/extra-profiles/usr.sbin.postdrop to /etc/apparmor.d as the subprofile in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda appears to have an issue.

This worked for both Tumbleweed and Leap 15.2 but you can also get more detail from the dialogue in the bug report.