Comment # 3 on bug 1069470 from Christian Boltz

The nscd profile allows reading and writing the /var/lib/nscd/ files you
mentioned (and does so since a long time IIRC), therefore I'm surprised why you
get denials for them.

Can you please check if you have some *.rpmnew files in /etc/apparmor.d/ ?


For the dovecot issues, please edit /etc/apparmor.d/usr.lib.dovecot.auth and
add the following two lines:

    capability dac_read_search,
    capability dac_override,

(You can instead add them to /etc/apparmor.d/local/usr.lib.dovecot.auth if you
prefer not to edit rpm-managed files.)

Afterwards, run   rcapparmor reload   to reload all profiles.


Note to myself: /var/spool/postfix/private/ (postfix:root 700) might be the
reason for dac_read_search, and /run/dovecot/auth-worker (dovecot:root 600) is
probably a reason for dac_override.