Comment # 10 on bug 1069470 from 
(In reply to Christian Boltz from comment #9)
> (In reply to Freek de Kruijf from comment #8)
> Which kernel version do you use?
> 
> As I already mentioned in a previous comment, 4.14.0 and 4.14.1 have a known
> bug, so please use 4.14.2 (from Kernel:HEAD until it reaches Tumbleweed).
> 
> I wouldn't be surprised if you have the broken kernel, and this is a side
> effect of that bug. (Nevertheless, the dovecot profile might need some
> signal rules added - but for sure not for rtmin+772495128 ;-)

I now have 4.14.2 running and DENIED messages are gone. Although I also have:
eiktum: # more /etc/apparmor.d/local/usr.sbin.dovecot 
# Site-specific additions and overrides for 'usr.sbin.dovecot'
    capability dac_read_search,
#    capability dac_override,

like you suggested below.

> > type=AVC msg=audit(1511799100.748:51): apparmor="DENIED" operation="capable"
> > profile="/usr/sbin/dovecot" pid=1713 comm="dovecot" capability=2 
> > capname="dac_read_search"
> 
> That means the dovecot profile (/etc/apparmor.d/local/usr.sbin.dovecot) needs
> (probably because /var/spool/postfix/private/ is postfix:root 700)
>   capability dac_read_search,

You are receiving this mail because: