mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

dovecot profile: allow capability sys_resource

Browse source 
On servers with not too much memory ("only" 16 GB), dovecot logins fail:

Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied
Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs
Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure)

audit.log messages are:
... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24  capname="sys_resource"
... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456

After allowing capability sys_resource, dovecot can increase the limit
and works again.


Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
This commit is contained in:
Christian Boltz 2016-11-29 21:57:54 +01:00
parent 7ecd62fc18
commit 72637677cf
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
profiles/apparmor.d/usr.sbin.dovecot
View file

@ -28,6 +28,7 @@
capability net_bind_service, capability net_bind_service,
capability setuid, capability setuid,
capability sys_chroot, capability sys_chroot,
capability sys_resource,
/etc/dovecot/** r, /etc/dovecot/** r,
/etc/mtab r, /etc/mtab r,