-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I post this here so that the maintainer of apparmour sees it and corrects what I think are bugs. When I installed 10.1 I had to add some rules to apparmour or postfix mail delivery with amavis would fail. These are my modifications I did then: /etc/apparmor.d/usr.lib.postfix.qmgr: /{var/spool/postfix/,}private/smtp-amavis w, /{var/spool/postfix/,}public/flush w, /etc/apparmor.d/usr.lib.postfix.smtpd: /{var/spool/postfix,}/pid/inet.localhost rw, /{var/spool/postfix,}/pid/inet.localhost:10025 rw, /etc/apparmor.d/usr.lib.postfix.master: /usr/lib/postfix/lmtp px, These modifications petain to these log entries: Jul 5 13:03:05 nimrodel postfix/smtpd[5615]: fatal: open lock file pid/inet.localhost:10025: cannot open file: Operation not permit Jul 5 13:03:06 nimrodel postfix/master[22973]: warning: process /usr/lib/postfix/smtpd pid 5615 exit status 1 Jul 5 13:10:35 nimrodel postfix/master[5908]: warning: /usr/lib/postfix/lmtp: bad command startup -- throttling Jul 5 13:11:35 nimrodel master[5985]: fatal: master_spawn: exec /usr/lib/postfix/lmtp: Operation not permitted I don't know if the correct procedure is to modify those files directly, but that's what I did and it works. Now, I have another problem. Today I had some hundred emails being downloaded, and the command mailq took a long time before failing to complete. I saw this log entry: Jul 21 20:00:46 nimrodel postfix/showq[18412]: fatal: open incoming 564677F01D: Operation not permitted Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: process /usr/lib/postfix/showq pid 18412 exit status 1 Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: /usr/lib/postfix/showq: bad command startup -- throttling Then I looked at /var/log/audit/audit.log, and sure, there was a problem: type=APPARMOR msg=audit(1153504846.751:1344): REJECTING r access to /var/spool/postfix/incoming/564677F01D (showq(18412) profile /usr/lib/postfix/showq active /usr/lib/postfix/showq) So I go to /etc/apparmor.d/usr.lib.postfix.showq, and see this: /{var/spool/postfix/,}incoming r, /{var/spool/postfix/,}incoming/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]* r, /{var/spool/postfix/,}incoming/[0-0A-F]* r, Now, the question: Should the last line be: /{var/spool/postfix/,}incoming/[0-9A-F]* r, instead? Notice that it is very dificult for me to test this: not till I get another mail with certain ID will it work or fail. Is this a bug? Should all those modifications be included by SuSE in a patch? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEwhhXtTMYHG2NR9URAoGvAJ9ioB5ah2O2hrEYzfXQyFj3jnpSeQCeMbQP 6UYW04xk07bjBY2vOtCs0Oc= =6nKD -----END PGP SIGNATURE-----