mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

dovecot: allow kill signal

Browse source 
Dovecot might try to kill related processes:

```
type=AVC msg=audit(1601314853.031:9327): apparmor="DENIED"
operation="signal" profile="dovecot" pid=21223 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/auth"

type=AVC msg=audit(1601315453.655:9369): apparmor="DENIED"
operation="signal" profile="dovecot" pid=21223 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/pop3"

type=AVC msg=audit(1602939754.145:101362): apparmor="DENIED"
operation="signal" profile="dovecot" pid=31632 comm="dovecot"
requested_mask="send" denied_mask="send" signal=kill
peer="/usr/lib/dovecot/pop3-login"
```
This discovered on low-power high-load machine (last resort timeout
handling?).

Update signal rule to allow SIGKILL.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 2f9d172c64)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Vincas Dargis 2020-10-25 19:12:42 +02:00 committed by John Johansen
parent 6328de241b
commit 11e2998cbe
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
profiles/apparmor.d/usr.sbin.dovecot
View file

@ -31,7 +31,8 @@
capability sys_chroot,
capability sys_resource,
signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
signal send set=(int,quit,term,kill) peer=/usr/lib/dovecot/*,
signal send set=(int,quit,term,kill) peer=dovecot-*,
unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),