Apparmor blocks msmtp

klaus · August 16, 2021, 3:59pm

Hello,

I try to make a container with a webserver and email proxy. The email proxy is a msmtp. If I try to send an email by command line it works fine. If I try to send an email by PHP msmtp is blocked by apparmor:

audit: type=1400 audit(1629128440.332:127): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-webserver_<var-snap-lxd-common-lxd>" profile="/usr/bin/msmtp" name="/run/php/php7.4-fpm.sock" pid=3735 comm="msmtp" requested_mask="wr" denied_mask="wr" fsuid=1000033 ouid=1000033

I hope anybody can explain me why the tool is not blocked if I run it manually and is blocked while running with PHP and how I can solve it.

stgraber · August 16, 2021, 8:59pm

Looks like msmtp comes with an apparmor profile and that profile does not allow it to communicate with that php fpm socket.

When running it manually, you presumably aren’t dealing with that php fpm socket and so aren’t hitting this.

klaus · August 17, 2021, 5:32am

But where the profile is stored? In the conainer there is no apparmor in the /etc an in the host there is no profile.
I tried to add a new profile but it is ignored. The interest question is, where I have to add the profile and what to do in it?

cemzafer · August 17, 2021, 1:01pm

Hi,
On the container, you can check with the command sudo aa-status and find the profiles in the /etc/apparmor.d directory if you are using Ubuntu.
Thanks.

klaus · August 17, 2021, 3:34pm

I dont’t know why, but as I searched the first time, the folder was not there. Now I found it. The file is inside the container, not on the host. I tried to change the profile to allow the access, but it was not successful. Apparmor is new for me.
I found an other solution with PHPMailer that works.
Thanks for helping

cemzafer · August 17, 2021, 8:30pm

I have corrected the previous post, thanks to mention.
Regards.