From dc3e2c39fba2e59830f81db938625674008e9652 Mon Sep 17 00:00:00 2001 From: Vincas Dargis Date: Sun, 25 Oct 2020 19:12:42 +0200 Subject: [PATCH] dovecot: allow kill signal Dovecot might try to kill related processes: ``` type=AVC msg=audit(1601314853.031:9327): apparmor="DENIED" operation="signal" profile="dovecot" pid=21223 comm="dovecot" requested_mask="send" denied_mask="send" signal=kill peer="/usr/lib/dovecot/auth" type=AVC msg=audit(1601315453.655:9369): apparmor="DENIED" operation="signal" profile="dovecot" pid=21223 comm="dovecot" requested_mask="send" denied_mask="send" signal=kill peer="/usr/lib/dovecot/pop3" type=AVC msg=audit(1602939754.145:101362): apparmor="DENIED" operation="signal" profile="dovecot" pid=31632 comm="dovecot" requested_mask="send" denied_mask="send" signal=kill peer="/usr/lib/dovecot/pop3-login" ``` This discovered on low-power high-load machine (last resort timeout handling?). Update signal rule to allow SIGKILL. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671 (cherry picked from commit 2f9d172c641bd21671721e76e0d65ba4bd914107) Signed-off-by: John Johansen --- profiles/apparmor.d/usr.sbin.dovecot | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot index 6f57f0cf7..e0f0e4c67 100644 --- a/profiles/apparmor.d/usr.sbin.dovecot +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -31,7 +31,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) { capability sys_chroot, capability sys_resource, - signal send set=(int,quit,term) peer=/usr/lib/dovecot/*, + signal send set=(int,quit,term,kill) peer=/usr/lib/dovecot/*, + signal send set=(int,quit,term,kill) peer=dovecot-*, unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),