Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#987474: msmtp: Debian Buster MSMTP removal keep corresponding Apparmor profile loaded
229 views
Skip to first unread message
Ian
Apr 24, 2021, 9:00:05 AM4/24/21
to
Package: msmtp
Version: 1.8.3-1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 10.9
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-13-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Uninstalling MSMTP package keeps msmtp AppArmor profiles loaded, that results in AppAmor permission denied problems with the sw-msmtp package shipped by Plesk control panel (plesk.com) that replaces Debian 'msmtp'
==
kernel: [2993637.734566] audit: type=1400 audit(1619254176.743:36243): apparmor="DENIED" operation="open" profile="/usr/bin/msmtp//helpers" name="/dev/tty" pid=4820 comm="sh" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
kernel: [2993637.735238] audit: type=1400 audit(1619254176.747:36244): apparmor="DENIED" operation="exec" profile="/usr/bin/msmtp//helpers" name="/usr/lib/plesk-9.0/msmtp-pwdeval" pid=4820 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
==
Steps to reproduce:
1) Install MSMTP on AppArmor enabled server
# apt install msmtp
2) Ensure that AppArmor MSMTP profiles are loaded
# aa-status| grep msmtp
/usr/bin/msmtp
/usr/bin/msmtp//helpers
3) Remove MSMTP
# apt purge msmtp
4) Query for AppArmor MSMTP profiles and they still loaded
# aa-status| grep msmtp
/usr/bin/msmtp
/usr/bin/msmtp//helpers
5) Check AppArmor cache
# ls /var/cache/apparmor/*/usr.bin.msmtp
Workaround is using 'aa-remove-unknown'
# aa-remove-unknown
Removing '/usr/bin/msmtp//helpers'
Removing '/usr/bin/msmtp'
Expected result:
MSMTP package removal removes and unload own AppArmor profiles
Version: 1.8.3-1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 10.9
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-13-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Uninstalling MSMTP package keeps msmtp AppArmor profiles loaded, that results in AppAmor permission denied problems with the sw-msmtp package shipped by Plesk control panel (plesk.com) that replaces Debian 'msmtp'
==
kernel: [2993637.734566] audit: type=1400 audit(1619254176.743:36243): apparmor="DENIED" operation="open" profile="/usr/bin/msmtp//helpers" name="/dev/tty" pid=4820 comm="sh" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
kernel: [2993637.735238] audit: type=1400 audit(1619254176.747:36244): apparmor="DENIED" operation="exec" profile="/usr/bin/msmtp//helpers" name="/usr/lib/plesk-9.0/msmtp-pwdeval" pid=4820 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
==
Steps to reproduce:
1) Install MSMTP on AppArmor enabled server
# apt install msmtp
2) Ensure that AppArmor MSMTP profiles are loaded
# aa-status| grep msmtp
/usr/bin/msmtp
/usr/bin/msmtp//helpers
3) Remove MSMTP
# apt purge msmtp
4) Query for AppArmor MSMTP profiles and they still loaded
# aa-status| grep msmtp
/usr/bin/msmtp
/usr/bin/msmtp//helpers
5) Check AppArmor cache
# ls /var/cache/apparmor/*/usr.bin.msmtp
Workaround is using 'aa-remove-unknown'
# aa-remove-unknown
Removing '/usr/bin/msmtp//helpers'
Removing '/usr/bin/msmtp'
Expected result:
MSMTP package removal removes and unload own AppArmor profiles
Emmanuel Bouthenot
Sep 11, 2021, 4:30:04 PM9/11/21
to
Hello,
On Sat, Apr 24, 2021 at 12:48:59PM +0000, Ian wrote:
[...]
> Uninstalling MSMTP package keeps msmtp AppArmor profiles loaded, that
> results in AppAmor permission denied problems with the sw-msmtp
> package shipped by Plesk control panel (plesk.com) that replaces
> Debian 'msmtp'
This is expected as the AppArmor profile is a conffile and will be
removed on package purge (not package removal).
Hence, I'm closing this bug. Feel free to reopen it if it deserves it.
Regards,
--
Emmanuel Bouthenot
mail: kolter@{openics,debian}.org gpg: 4096R/0x929D42C3
xmpp: kol...@im.openics.org irc: kolter@{libera,oftc}
On Sat, Apr 24, 2021 at 12:48:59PM +0000, Ian wrote:
[...]
> Uninstalling MSMTP package keeps msmtp AppArmor profiles loaded, that
> results in AppAmor permission denied problems with the sw-msmtp
> package shipped by Plesk control panel (plesk.com) that replaces
> Debian 'msmtp'
removed on package purge (not package removal).
Hence, I'm closing this bug. Feel free to reopen it if it deserves it.
Regards,
--
Emmanuel Bouthenot
mail: kolter@{openics,debian}.org gpg: 4096R/0x929D42C3
xmpp: kol...@im.openics.org irc: kolter@{libera,oftc}
0 new messages