Skip to content

Fix signal sending for usr.sbin.dovecot

Vincas Dargis requested to merge Talkless/apparmor:dovecot-signals into master

Add signal rules to allow dovecot master daemon to send signals to various child daemons (for reloading/restarting).

Denies from Debian bug report [0]:

Dec 13 11:03:05 kernel: audit: type=1400 audit(1513159385.786:224): apparmor="ALLOWED" operation="signal" profile="/usr/sbin/dovecot" pid=30693 comm="dovecot" requested_mask="send" denied_mask="send" signal=int peer="/usr/lib/dovecot/lmtp"
Dec 13 11:04:06 kernel: audit: type=1400 audit(1513159446.269:225): apparmor="ALLOWED" operation="signal" profile="/usr/sbin/dovecot" pid=30693 comm="dovecot" requested_mask="send" denied_mask="send" signal=int peer="/usr/lib/dovecot/auth"

More denies from additional testing:

type=AVC msg=audit(1513273211.525:453): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=8052 comm="dovecot" requested_mask="send" denied_mask="send" signal=int peer="/usr/lib/dovecot/ssl-params"
ype=AVC msg=audit(1513272675.357:339): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=6143 comm="dovecot" requested_mask="send" denied_mask="send" signal=quit peer="/usr/lib/dovecot/log"
type=AVC msg=audit(1513272675.357:340): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=6143 comm="dovecot" requested_mask="send" denied_mask="send" signal=quit peer="/usr/lib/dovecot/config"
type=AVC msg=audit(1513273697.360:526): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=8052 comm="dovecot" requested_mask="send" denied_mask="send" signal=quit peer="/usr/lib/dovecot/lmtp"
type=AVC msg=audit(1513273697.360:528): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=8052 comm="dovecot" requested_mask="send" denied_mask="send" signal=quit peer="/usr/lib/dovecot/auth"
type=AVC msg=audit(1513273697.360:529): apparmor="DENIED" operation="signal" profile="/usr/sbin/dovecot" pid=8052 comm="dovecot" requested_mask="send" denied_mask="send" signal=quit peer="/usr/lib/dovecot/anvil"

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884280

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884280#5

Merge request reports