Mailinglist Archive: opensuse (2831 mails)

< Previous Next >
Re: [SLE] Suddenly I have to disable Apparmor to start postfix.
  • From: Michael James <Michael.James@xxxxxxxx>
  • Date: Fri, 14 Jul 2006 11:02:05 +1000
  • Message-id: <200607141102.05961.Michael.James@xxxxxxxx>
On Sat, 8 Jul 2006 11:23 am, Michael Nelson wrote:
> I had a similar issue (that I filed a bug on) with sendmail, and it
> turned out apparmor was the culprit there too. I just unistalled it.
> I've gotten by on unix/linux for years without such a POS, I can do
> without it now.

I had a play with apparmor and was quite impressed.

If it breaks postfix and you want to extend postfix's profile,
what you need to do is add "flags=(complain)"
to it's profile definition file.
Trouble is postfix has separate files for all its bits.
However using the "complain" command makes it easy.

root> complain /usr/lib/postfix/*

There, now if you look in /etc/apparmor.d/
you'll see all the "usr.lib.postfix.*"
files in complain mode.

The messages in /var/log/messages
will tell you what need to be changed
to go back into "enforce" mode.

There are also automatic profile generating and extending tools
that garner the experience from running in complain.

What tripped my postfix up was chrooting the smtpd.
First I had to allow chrooting capability,
then I had problems because the chrooted process
wants to read and write files like /default/*
It's really /var/spool/postfix/default/
but the chrooted process doesn't know that.

Do I gain anything with chroot once I'm running apparmor?
Should I simply tell postfix not to do it?

michaelj

--
Michael James michael.james@xxxxxxxx
System Administrator voice: 02 6246 5040
CSIRO Bioinformatics Facility fax: 02 6246 5166

No matter how much you pay for software,
you always get less than you hoped.
Unless you pay nothing, then you get more.

--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx


< Previous Next >