Bugzilla – Bug 1219139
[Build 20240123] pam 1.6 vs apparmor
Last modified: 2024-02-07 17:10:08 UTC
## Observation the test sets up a postfix/dovecot mail server and then tries to connect using mutt to it. Since the upgrade to PAM 1.6, this no longer works On a local debug I could identify AppArmor blocking access to two objects while authenticating: type=AVC msg=audit(1706098433.326:138): apparmor="DENIED" operation="exec" class="file" profile="dovecot-auth" name="/usr/sbin/unix_chkpwd" pid=1479 comm="auth" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 type=AVC msg=audit(1706098433.326:139): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/proc/1478/loginuid" pid=1478 comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 If I tear down AppArmor (aa-teardown) I can successfully login to my test dovecot setup. openQA test in scenario opensuse-Tumbleweed-JeOS-for-kvm-and-xen-x86_64-jeos-extra@64bit_virtio-2G fails in [mutt](https://openqa.opensuse.org/tests/3889394/modules/mutt/steps/24) ## Test suite description Same as jeos, plus some more tests. ## Reproducible Fails since (at least) Build [20240123](https://openqa.opensuse.org/tests/3888714) ## Expected result Last good: [20240122](https://openqa.opensuse.org/tests/3886456) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=JeOS-for-kvm-and-xen&machine=64bit_virtio-2G&test=jeos-extra&version=Tumbleweed)
The pam changelog contains: > pam_unix: changed to always run the helper to obtain shadow password > entries. So everything which previously opened /etc/shadow directly might now call unix_chkpwd instead. That might affect more than just dovecot.
(In reply to Fabian Vogt from comment #1) > The pam changelog contains: > > > pam_unix: changed to always run the helper to obtain shadow password > > entries. > > So everything which previously opened /etc/shadow directly might now call > unix_chkpwd instead. That might affect more than just dovecot. That's good to know, thanks for pointing it out! Nevertheless, let's start with the actual failure ;-) The denials translate to the following additions in /etc/apparmor.d/usr.lib.dovecot.auth /usr/sbin/unix_chkpwd Px, owner/proc/@{PID}/loginuid r, You'll also need a profile for unix_chkpwd, which I'll steal from the apparmor.d project (please save it as /etc/apparmor.d/unix-chkpwd) --------------------------------------------------------------------------- # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi <abi/4.0>, include <tunables/global> @{exec_path} = /{,usr/}{,s}bin/unix_chkpwd profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd { include <abstractions/base> include <abstractions/nameservice-strict> # To write records to the kernel auditing log. capability audit_write, network netlink raw, @{exec_path} mr, /etc/shadow r, # file_inherit owner /dev/tty@{int} rw, include if exists <local/unix-chkpwd> } --------------------------------------------------------------------------- Can you please test if the dovecot-auth profile addition + this profile fix the authentification? (If you still see denials, please switch the affected profiles to complain mode with aa-complain so that we get everything at once.) For the records: the following profiles read /etc/shadow (via abstractions/authentication): - apparmor.d/usr.lib.dovecot.auth - apparmor.d/usr.lib.dovecot.dovecot-auth - apparmor.d/usr.sbin.dovecot - apparmor.d/usr.sbin.smbd
the unix-chkpwd profile is invalid with the version of AppArmor we use: * abi/4.0 => abi/3.0 * abstractions/nameservice-strict -> abstractions/nameservice * reference to int, but never declared (removed that line in my test system) With those changes applied to unix-chkpwd, I can login on the dovecot/POP3 server
*** Bug 1219301 has been marked as a duplicate of this bug. ***
In which snapshot of Tumbleweed will this be available?
(In reply to Freek de Kruijf from comment #5) > In which snapshot of Tumbleweed will this be available? SR 1142650 submitted, so - as soon as it gets accepted and the snapshot passes openQA. Until then, feel free to install and test the apparmor-profiles package from security:apparmor as soon as the build finishes in a few minutes.
This is an autogenerated message for OBS integration: This bug (1219139) was mentioned in https://build.opensuse.org/request/show/1142650 Factory / apparmor
(In reply to OBSbugzilla Bot from comment #7) > This is an autogenerated message for OBS integration: > This bug (1219139) was mentioned in > https://build.opensuse.org/request/show/1142650 Factory / apparmor checked in and confirmed by openQA: Previously failing test 'mutt' passes again https://openqa.opensuse.org/tests/3905255#step/mutt/1