http://bugzilla.opensuse.org/show_bug.cgi?id=1069470 http://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c10 --- Comment #10 from Freek de Kruijf <freek@opensuse.org> --- (In reply to Christian Boltz from comment #9)
(In reply to Freek de Kruijf from comment #8) Which kernel version do you use?
As I already mentioned in a previous comment, 4.14.0 and 4.14.1 have a known bug, so please use 4.14.2 (from Kernel:HEAD until it reaches Tumbleweed).
I wouldn't be surprised if you have the broken kernel, and this is a side effect of that bug. (Nevertheless, the dovecot profile might need some signal rules added - but for sure not for rtmin+772495128 ;-)
I now have 4.14.2 running and DENIED messages are gone. Although I also have: eiktum: # more /etc/apparmor.d/local/usr.sbin.dovecot # Site-specific additions and overrides for 'usr.sbin.dovecot' capability dac_read_search, # capability dac_override, like you suggested below.
type=AVC msg=audit(1511799100.748:51): apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=1713 comm="dovecot" capability=2 capname="dac_read_search"
That means the dovecot profile (/etc/apparmor.d/local/usr.sbin.dovecot) needs (probably because /var/spool/postfix/private/ is postfix:root 700) capability dac_read_search,
-- You are receiving this mail because: You are on the CC list for the bug.