Bug 152706

Summary: apparmor prevents postfix from accessing /etc/postfix/header_checks
Product: [openSUSE] SUSE Linux 10.1 Reporter: Per Jessen <per>
Component: AppArmorAssignee: Seth R Arnold <seth.arnold>
Status: RESOLVED FIXED QA Contact: Dominic W Reynolds <dreynolds>
Severity: Normal    
Priority: P5 - None CC: suse-beta
Version: Beta 3   
Target Milestone: ---   
Hardware: i686   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Per Jessen 2006-02-22 08:27:54 UTC 
I edited /etc/postfix/main.cf to uncomment "header_checks", which subsequently prevented postfix from running:

postfix/master[15235]: daemon started -- version 2.2.6,
configuration /etc/postfix
postfix/cleanup[15238]: fatal: open /etc/postfix/header_checks:
Operation not permitted
postfix/master[15235]: warning: process /usr/lib/postfix/cleanup pid
15238 exit status 1
io postfix/master[15235]: warning: /usr/lib/postfix/cleanup: bad command
startup -- throttling

Permissions of /etc/postfix/header_checks are fine:

# ls -l /etc/postfix/header_checks
-rw-r--r-- 1 root root 16393 Jan 30 18:05 /etc/postfix/header_checks

I'm filing this report as per discussion with Andreas Jaeger on suse-linux-e.  My personal opinion is that AppArmor should not be enabled by default, at least not until a major release.
Comment 1 Seth R Arnold 2006-02-22 22:03:06 UTC 
Per, thanks for the report; I've added a rule to postfix's cleanup profile that grants read access to /etc/postfix/header_checks.

You may use aa_genprof /usr/lib/postfix/cleanup to place the cleanup profile into learning mode and be prompted to automatically add any subsequently learned accesses to your local profiles. 

In case this one specific file access is not sufficient, please re-open this bug with the additional REJECTING or PERMITTING log entries from /var/log/audit/audit.log.

As a side-issue, AppArmor is enabled in the beta process so that the quality of our profiles in the released product can be as high as possible -- we rely on beta testers to exercise applications 'normally', as compared to what we can simulate in the lab. Without beta testers exercising our profiles, customers of the box product or enterprise product would have stumbled on this (and other problems in our profiles) only after the product has shipped. Many thanks for taking the time to improve our profiles for everyone.

Thanks
Comment 2 Per Jessen 2006-03-11 10:43:37 UTC 
Reopening as I have just installed Beta6 and ran into exactly the same problem.  I tried using "aa-genprof /usr/lib/postfix/cleanup" which works fine.  My configuration is also using some pcre-tables, so AA needs to allow postfix access to /usr/lib/postfix/dict_pcre.so - by default I would say.

I also added a new transport to /etc/postfix/master.cf, and reran aa-genprof a couple of times.
Comment 3 Seth R Arnold 2006-03-13 19:59:22 UTC 
Per, thanks; I've made sure that our upcoming Beta8 includes far more open configuration and library access for all postfix programs. If you notice additional problems in the future, please include /var/log/audit/audit.log file cut-n-paste that includes the REJECTING or PERMITTING lines necessary to allow postfix to work in your environment.