[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] [SLE] postfix and apparmour



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I post this here so that the maintainer of apparmour sees it and corrects 
what I think are bugs.

When I installed 10.1 I had to add some rules to apparmour or postfix mail
delivery with amavis would fail. These are my modifications I did then:

/etc/apparmor.d/usr.lib.postfix.qmgr:

  /{var/spool/postfix/,}private/smtp-amavis             w,
  /{var/spool/postfix/,}public/flush                    w,


/etc/apparmor.d/usr.lib.postfix.smtpd:
  /{var/spool/postfix,}/pid/inet.localhost             rw,
  /{var/spool/postfix,}/pid/inet.localhost:10025       rw,


/etc/apparmor.d/usr.lib.postfix.master:
  /usr/lib/postfix/lmtp                          px,


These modifications petain to these log entries:

Jul  5 13:03:05 nimrodel postfix/smtpd[5615]: fatal: open lock file pid/inet.localhost:10025: cannot open file: Operation not permit
Jul  5 13:03:06 nimrodel postfix/master[22973]: warning: process /usr/lib/postfix/smtpd pid 5615 exit status 1

Jul  5 13:10:35 nimrodel postfix/master[5908]: warning: /usr/lib/postfix/lmtp: bad command startup -- throttling
Jul  5 13:11:35 nimrodel master[5985]: fatal: master_spawn: exec /usr/lib/postfix/lmtp: Operation not permitted



I don't know if the correct procedure is to modify those files directly,
but that's what I did and it works. Now, I have another problem. Today I
had some hundred emails being downloaded, and the command mailq took a
long time before failing to complete. I saw this log entry:

Jul 21 20:00:46 nimrodel postfix/showq[18412]: fatal: open incoming 564677F01D: Operation not permitted
Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: process /usr/lib/postfix/showq pid 18412 exit status 1
Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: /usr/lib/postfix/showq: bad command startup -- throttling

Then I looked at /var/log/audit/audit.log, and sure, there was a problem:

type=APPARMOR msg=audit(1153504846.751:1344): REJECTING r access to /var/spool/postfix/incoming/564677F01D (showq(18412) profile /usr/lib/postfix/showq active /usr/lib/postfix/showq)


So I go to /etc/apparmor.d/usr.lib.postfix.showq, and see this:

  /{var/spool/postfix/,}incoming                                   r,
  /{var/spool/postfix/,}incoming/[0-9A-F]                          r,
  /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]                 r,
  /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/*               r,
  /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]*                r,
  /{var/spool/postfix/,}incoming/[0-0A-F]*                         r,


Now, the question: Should the last line be:

  /{var/spool/postfix/,}incoming/[0-9A-F]*                         r,

instead?

   Notice that it is very dificult for me to test this: not till I get
   another mail with certain ID will it work or fail.


Is this a bug? Should all those modifications be included by SuSE in a
patch?


- -- 
Cheers,
       Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFEwhhXtTMYHG2NR9URAoGvAJ9ioB5ah2O2hrEYzfXQyFj3jnpSeQCeMbQP
6UYW04xk07bjBY2vOtCs0Oc=
=6nKD
-----END PGP SIGNATURE-----


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here