Bug 1219139

Summary: [Build 20240123] pam 1.6 vs apparmor
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: AppArmorAssignee: Christian Boltz <suse-beta>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: dimstar, freek, fvogt, guillaume.gardet
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.opensuse.org/tests/3889394/modules/mutt/steps/24
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2024-01-24 12:25:06 UTC 
## Observation

the test sets up a postfix/dovecot mail server and then tries to connect using mutt to it.

Since the upgrade to PAM 1.6, this no longer works

On a local debug I could identify AppArmor blocking access to two objects while authenticating:

type=AVC msg=audit(1706098433.326:138): apparmor="DENIED" operation="exec" class="file" profile="dovecot-auth" name="/usr/sbin/unix_chkpwd" pid=1479 comm="auth" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1706098433.326:139): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/proc/1478/loginuid" pid=1478 comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


If I tear down AppArmor (aa-teardown) I can successfully login to my test dovecot setup.
openQA test in scenario opensuse-Tumbleweed-JeOS-for-kvm-and-xen-x86_64-jeos-extra@64bit_virtio-2G fails in
[mutt](https://openqa.opensuse.org/tests/3889394/modules/mutt/steps/24)

## Test suite description
Same as jeos, plus some more tests.


## Reproducible

Fails since (at least) Build [20240123](https://openqa.opensuse.org/tests/3888714)


## Expected result

Last good: [20240122](https://openqa.opensuse.org/tests/3886456) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=JeOS-for-kvm-and-xen&machine=64bit_virtio-2G&test=jeos-extra&version=Tumbleweed)
Comment 1 Fabian Vogt 2024-01-24 14:55:21 UTC 
The pam changelog contains:

> pam_unix: changed to always run the helper to obtain shadow password
> entries.

So everything which previously opened /etc/shadow directly might now call unix_chkpwd instead. That might affect more than just dovecot.
Comment 2 Christian Boltz 2024-01-24 17:09:52 UTC 
(In reply to Fabian Vogt from comment #1)
> The pam changelog contains:
> 
> > pam_unix: changed to always run the helper to obtain shadow password
> > entries.
> 
> So everything which previously opened /etc/shadow directly might now call
> unix_chkpwd instead. That might affect more than just dovecot.

That's good to know, thanks for pointing it out!


Nevertheless, let's start with the actual failure ;-)

The denials translate to the following additions in
/etc/apparmor.d/usr.lib.dovecot.auth

    /usr/sbin/unix_chkpwd Px,
    owner/proc/@{PID}/loginuid r,


You'll also need a profile for unix_chkpwd, which I'll steal from the apparmor.d project (please save it as /etc/apparmor.d/unix-chkpwd)

---------------------------------------------------------------------------
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /{,usr/}{,s}bin/unix_chkpwd
profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  # To write records to the kernel auditing log.
  capability audit_write,

  network netlink raw,

  @{exec_path} mr,

  /etc/shadow r,

  # file_inherit
  owner /dev/tty@{int} rw,

  include if exists <local/unix-chkpwd>
}
---------------------------------------------------------------------------

Can you please test if the dovecot-auth profile addition + this profile fix the authentification? (If you still see denials, please switch the affected profiles to complain mode with aa-complain so that we get everything at once.)


For the records: the following profiles read /etc/shadow (via abstractions/authentication):
- apparmor.d/usr.lib.dovecot.auth
- apparmor.d/usr.lib.dovecot.dovecot-auth
- apparmor.d/usr.sbin.dovecot
- apparmor.d/usr.sbin.smbd
Comment 3 Dominique Leuenberger 2024-01-25 09:20:14 UTC 
the unix-chkpwd profile is invalid with the version of AppArmor we use:

* abi/4.0 => abi/3.0
* abstractions/nameservice-strict -> abstractions/nameservice
* reference to int, but never declared (removed that line in my test system)

With those changes applied to unix-chkpwd, I can login on the dovecot/POP3 server
Comment 4 Thorsten Kukuk 2024-01-29 15:55:29 UTC 
*** Bug 1219301 has been marked as a duplicate of this bug. ***
Comment 5 Freek de Kruijf 2024-01-29 17:23:07 UTC 
In which snapshot of Tumbleweed will this be available?
Comment 6 Christian Boltz 2024-01-29 21:32:05 UTC 
(In reply to Freek de Kruijf from comment #5)
> In which snapshot of Tumbleweed will this be available?

SR 1142650 submitted, so - as soon as it gets accepted and the snapshot passes openQA.

Until then, feel free to install and test the apparmor-profiles package from security:apparmor as soon as the build finishes in a few minutes.
Comment 7 OBSbugzilla Bot 2024-01-29 23:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1219139) was mentioned in
https://build.opensuse.org/request/show/1142650 Factory / apparmor
Comment 8 Dominique Leuenberger 2024-01-31 08:35:45 UTC 
(In reply to OBSbugzilla Bot from comment #7)
> This is an autogenerated message for OBS integration:
> This bug (1219139) was mentioned in
> https://build.opensuse.org/request/show/1142650 Factory / apparmor

checked in and confirmed by openQA:

Previously failing test 'mutt' passes again
https://openqa.opensuse.org/tests/3905255#step/mutt/1