[apparmor] [patch] dovecot profile: allow capability sys_resource

Steve Beattie steve at nxnw.org
Tue Nov 29 18:43:47 UTC 2016 

On Tue, Nov 29, 2016 at 01:49:05PM +0100, Christian Boltz wrote:
> On servers with not too much memory ("only" 16 GB), dovecot logins fail:
> 
> Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied
> Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs
> Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure)

> audit.log messages are:
> ... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24  capname="sys_resource"
> ... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456

Interesting. This should only be needed if raising RLIMIT_DATA
('ulimit -H -d' in bash/dash) over an existing hard limit. Is there
some setting elsewhere that's lowering it before dovecot runs?

> After allowing capability sys_resource, dovecot can increase the limit
> and works again.
> 
> I propose this patch for trunk, 2.10 and 2.9

That question aside, I think it's okay.
Acked-by: Steve Beattie <steve at nxnw.org> for all three branches.

> [ dovecot-cap-sys_resource.diff ]
> 
> === modified file 'profiles/apparmor.d/usr.sbin.dovecot'
> --- profiles/apparmor.d/usr.sbin.dovecot        2014-12-22 16:49:28 +0000
> +++ profiles/apparmor.d/usr.sbin.dovecot        2016-11-29 11:46:32 +0000
> @@ -28,6 +28,7 @@
>    capability net_bind_service,
>    capability setuid,
>    capability sys_chroot,
> +  capability sys_resource,
>  
>    /etc/dovecot/** r,
>    /etc/mtab r,

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161129/1815bf55/attachment.pgp>

More information about the AppArmor mailing list