http://bugzilla.opensuse.org/show_bug.cgi?id=1087753
http://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c7
--- Comment #7 from Christian Boltz
Actually, that last comment is completely wrong; it seemed to be working at first, but actually was not. After spending a few hours iterating on `/var/log/audit/audit.log` and editing several files in `/etc/apparmor.d/local`, it seems to be back to working.
In `usr.lib.dovecot.config`:
/var/lib/dovecot/ssl-parameters.dat r, capability dac_read_search,
I'm slightly surprised about these two - can you please paste the relevant audit.log lines?
In `usr.lib.dovecot.auth`:
/run/dovecot/old-stats-user w,
In `usr.sbin.dovecot`:
/usr/lib/dovecot/stats ix,
Please make that Px, and grab the dovecot/stats profile from bug 1088161 ;-)
/var/log/dovecot w,
In `usr.lib.dovecot.log`:
/var/log/dovecot w,
Please try with "a" instead of "w" (in both profiles that need to write the logfile), see below for details.
The `w` permission is needed for logs because apparmor denies `ac` and as far as I can tell there's no way to allow `open`s with `c`. I couldn't find any indication that there exists documentation with a list of open permissions, so there may be another way to allow "create and append" other than `w`.
'c' in the audit.log means "create". There is no exact match in the profile permissions to only allow "create", but both "a" and "w" include "create". So if you are lucky, using "a" in the profile is enough (and would be a major improvement because it blocks changes to existing log content).
I used the `ix` permission for stats rather than `Px` because there is no `apparmor.d/user.lib.dovecot.stats` to include corresponding file in `/etc/apparmor.d/local`, and I thought it better to confine my edits to local.
See above ;-) (there's no local/ sniplet for the dovecot/stats profile yet, but I'll of course add it when I package the profile)
So basically this recent apparmor update totally clobbers dovecot's ability to function.
Actually it's the other way round - dovecot was updated, and nobody told me that it needs AppArmor profile updates :-( (no blaming intended ;-) - and in the end, the important thing is to get it working again.) -- You are receiving this mail because: You are on the CC list for the bug.