[Dovecot] setacl fails - does not find dovecot-acl file
Janne Snabb
snabb at epipe.com
Sun Apr 29 21:09:43 EEST 2012
On Fri, 4 Nov 2011, Timo Sirainen wrote:
> On Fri, 2011-11-04 at 21:29 +0100, Michael Stilkerich wrote:
>
> > Nov 4 16:29:03 keira dovecot: imap(isa): Error: fcntl(unlock) locking
> > failed for file /home/dovecot/isa/dovecot.index.log: No such file or
> > directory
> > Nov 4 16:29:03 keira dovecot: imap(isa): Error: fstat() failed with
> > file /home/dovecot/isa/dovecot.index.log: No such file or directory
>
> These simply shouldn't happen. I'd say it's a kernel bug. You're running
> a default Ubuntu kernel? I wonder if other Ubuntu users have this
> problem.
I am seeing this same problem on Ubuntu 11.10 and 12.04 with stock
kernels.
The problem is clearly AppArmor related. The imap process seems to
be using the "usr.sbin.dovecot" profile which prevents access to
these files. There is a separate profile "usr.lib.dovecot.imap" but
it seems that it does not get applied to the imap process for some
odd reason. This is especially strange beacuse both profiles are
enabled in "complain" and not in "enforce" mode, thus they should
not enforce any of the rules.
I am simultaneously getting messages similar to the following in
my audit log:
type=AVC msg=audit(1335712674.515:655016): apparmor="ALLOWED" operation="getattr" parent=10922 profile="/usr/sbin/dovecot//null-107//null-10b//null-118" name="/home/foobar/Maildir/.foobar/dovecot.index.log" pid=10937 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
After disabling the "usr.sbin.dovecot" profile everything seems
fine. Other dovecot related AppArmor profiles do not seem to cause
problems.
This looks like an issue in AppArmor to me...
--
Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/
More information about the dovecot
mailing list