![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, When I installed 10.1 I had to add some rules to apparmour or postfix mail delivery with amavis would fail: Jul 5 13:03:05 nimrodel postfix/smtpd[5615]: fatal: open lock file pid/inet.localhost:10025: cannot open file: Operation not permit Jul 5 13:03:06 nimrodel postfix/master[22973]: warning: process /usr/lib/postfix/smtpd pid 5615 exit status 1 Jul 5 13:10:35 nimrodel postfix/master[5908]: warning: /usr/lib/postfix/lmtp: bad command startup -- throttling Jul 5 13:11:35 nimrodel master[5985]: fatal: master_spawn: exec /usr/lib/postfix/lmtp: Operation not permitted These are my modifications I did then: /etc/apparmor.d/usr.lib.postfix.qmgr: /{var/spool/postfix/,}private/smtp-amavis w, /{var/spool/postfix/,}public/flush w, /etc/apparmor.d/usr.lib.postfix.smtpd: /{var/spool/postfix,}/pid/inet.localhost rw, /{var/spool/postfix,}/pid/inet.localhost:10025 rw, /etc/apparmor.d/usr.lib.postfix.master: /usr/lib/postfix/lmtp px, I don't know if the correcto procedure is to modify those files directly, but that's what I did and it works. Now, I have another problem. Today I had some hundred emails being downloaded, and the command mailq took a long time before failing to complete. I saw this log entry: Jul 21 20:00:46 nimrodel postfix/showq[18412]: fatal: open incoming 564677F01D: Operation not permitted Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: process /usr/lib/postfix/showq pid 18412 exit status 1 Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: /usr/lib/postfix/showq: bad command startup -- throttling Then I looked at /var/log/audit/audit.log, and sure, there was a problem: type=APPARMOR msg=audit(1153504846.751:1344): REJECTING r access to /var/spool/postfix/incoming/564677F01D (showq(18412) profile /usr/lib/postfix/showq active /usr/lib/postfix/showq) So I go to /etc/apparmor.d/usr.lib.postfix.showq, and see this: /{var/spool/postfix/,}incoming r, /{var/spool/postfix/,}incoming/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]* r, /{var/spool/postfix/,}incoming/[0-0A-F]* r, Now, the question: Should the last line be: /{var/spool/postfix/,}incoming/[0-9A-F]* r, ? Notice that it is very dificult for me to test this: not till I get another mail with certain ID will it work or fail. Is this a bug? Should all those modifications be included by SuSE in a patch? Or perhaps this is more an appropiate question for the security list? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEwTVBtTMYHG2NR9URAoEfAJ9x02bcbobHJEqbQnD0u1ejCE4axwCfVY+k Ssb4CLhfsC2mRrDDXPHDZgw= =XVye -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com