[apparmor] [patch] dovecot profile: allow capability sys_resource

Christian Boltz apparmor at cboltz.de
Tue Nov 29 20:34:22 UTC 2016 

Hello,

Am Dienstag, 29. November 2016, 10:43:47 CET schrieb Steve Beattie:
> On Tue, Nov 29, 2016 at 01:49:05PM +0100, Christian Boltz wrote:
> > On servers with not too much memory ("only" 16 GB), dovecot logins
> > fail:
> > 
> > Nov 25 21:35:15 server dovecot[28737]: master: Fatal:
> > setrlimit(RLIMIT_DATA, 268435456): Permission denied 
> > Nov 2521:35:15 server dovecot[28731]: master: Error: service(auth):
> > command startup failed, throttling for 2 secs Nov 25 21:35:15
> > server dovecot[28737]: auth: Fatal: master: service(auth): child
> > 25976 returned error 89 (Fatal failure)
> > 
> > audit.log messages are:
> > ... apparmor="DENIED" operation="capable"
> > profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24 
> > capname="sys_resource" ... apparmor="DENIED" operation="setrlimit"
> > profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data
> > value=268435456
> Interesting. This should only be needed if raising RLIMIT_DATA
> ('ulimit -H -d' in bash/dash) over an existing hard limit. Is there
> some setting elsewhere that's lowering it before dovecot runs?

That's an interesting[tm] question.
Testing in the shell tells me "unlimited", and dovecot.service also 
doesn't show any restrictions. (Maybe dovecot lowers the limit 
somewhere, and later tries to raise it again?)

Wild guess: 268435456 / 1024 / 1024 = 256 MB - and that seems to be the 
default value of dovecot's default virtual memory size 
(default_vsz_limit) which is used at several places, and at least 
explains why dovecot wants to raise the limit to this value.


Fun fact - it seems we "survived" this for quite a while - I found a 
report about a similar SELinux denial from 2012 ;-)
http://forums.fedoraforum.org/archive/index.php/t-284859.html

> > After allowing capability sys_resource, dovecot can increase the
> > limit and works again.
> > 
> > I propose this patch for trunk, 2.10 and 2.9
> 
> That question aside, I think it's okay.
> Acked-by: Steve Beattie <steve at nxnw.org> for all three branches.

Thanks!

May I remind you that
    [patch] logparser.py: improve file vs. network event recognition
is still waiting for a review? ;-)


Regards,

Christian Boltz
-- 
Ich glaube übrigens, daß es Suse nicht mehr lange gibt:
- Ich verwende Evolution. Evolution gehört jetzt zu Novell.
- Suse gehört jetzt auch zu Novell.
Die Rechtschreibprüfung von Evolution(Novell) kennt aber das Wort "Suse"
nicht!!!! Got it???? Die wissen mehr! [Ratti in fontlinge-devel]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161129/de55e61f/attachment.pgp>

More information about the AppArmor mailing list