Bug 146596

Summary: Postfix can't open sasl_passwd.db because "Operation not permitted"
Product: [openSUSE] SUSE Linux 10.1 Reporter: Holger Macht <hmacht>
Component: AppArmorAssignee: Seth R Arnold <seth.arnold>
Status: RESOLVED FIXED QA Contact: Dominic W Reynolds <dreynolds>
Severity: Blocker    
Priority: P5 - None CC: aj, kukuk
Version: Beta 2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Holger Macht 2006-01-30 13:40:16 UTC 
Plain Beta2 installation. When trying to sent mail through postfix, I find the following error messages in /var/log/mail:

Jan 30 13:23:35 linux postfix/qmgr[3390]: 2DB754763C: from=<hmacht@suse.de>, size=2558, nrcpt=1 (queue active)
Jan 30 13:23:37 linux postfix/smtp[3417]: fatal: open database /etc/postfix/sasl_passwd.db: Operation not permitted
Jan 30 13:23:38 linux postfix/master[3367]: warning: process /usr/lib/postfix/smtp pid 3417 exit status 1
Jan 30 13:23:38 linux postfix/master[3367]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling

The mail is obviously not sent. Right are correct. After uninstalling AppArmor, everything works as expected.
Comment 1 Dominic W Reynolds 2006-01-30 23:44:09 UTC 
Seth can you look at this profile issue?

Andreas - this is listed as a blocker for 10.1 - this has not been fixed for beta3.

Thorsten - this will also affect SLES10.
Comment 2 Seth R Arnold 2006-02-04 08:55:08 UTC 
Holger, thanks for the report.

Our next checkin will include a rule for postfix's smtp that includes read access to this specific file. If SASL is still not supported, please either run: aa-genprof /usr/lib/postfix/smtp
and try sending mail again, or use the yast "novell apparmor / create profile" utility to do much the same thing.

This will allow postfix's smtp sending service to run in "complain mode", where all access are granted and recorded. The aa-genprof utility will help you update the profile; once it works without error (which should be only one or two iterations of the aa-genprof tool), please send us the /etc/apparmor.d/usr.lib.postfix.smtp file.

Assuming this single rule doesn't resolve the problem, of course. :) Please let me know if it doesn't. Thanks.
Comment 3 Dominic W Reynolds 2006-02-07 06:54:10 UTC 
Seth is this checked in for beta4? Can we close or do you still need more information from holger?
Comment 4 Seth R Arnold 2006-02-07 07:08:52 UTC 
Dominic, it's up to you -- this is checked into beta4, but as none of us have ever set up a SASL environment before, testing it would be difficult. We could close this bug as this specific problem has been addressed, but other problems might be lurking behind the one failed access...
Comment 5 Holger Macht 2006-02-07 08:52:24 UTC 
Close the bug and I will reopen it if there are remaining issues in beta4.
Comment 6 Seth R Arnold 2006-02-07 18:28:06 UTC 
Thanks