Comment # 3 on bug 1166007 from 
(In reply to Michael Hirmke from comment #2)
> So I ran aa-logprof and got a new profile for usr.lib.dovecot.script-login,
> not for /usr/local/bin/dovecot-postlogin.sh.
> Did you mix up the two?

Indeed - I focused too much on what you wrote, and not enough on reading the
audit.log message ;-)

This also somewhat changes my opinion to mark this as wontfix - it might become
a "partial fix". Executing /usr/lib/dovecot/script-login from dovecot
{c,sh}ould be allowed in the profile, but the profile for script-login will
obviously have to stay incomplete because everybody will run a different
script.

So - if you have created separate profiles for /usr/lib/dovecot/script-login
and your actual post-login script, I'd be interested to see them.

> Besides that, running aa-complain wasn't necessary, aa-logprof already has
> set the flag.

Nevertheless, you should switch the profile to enforce mode.

> Thx for pointing me into the right direction!

You are welcome ;-)

You are receiving this mail because: