http://bugzilla.opensuse.org/show_bug.cgi?id=1166007
http://bugzilla.opensuse.org/show_bug.cgi?id=1166007#c3
--- Comment #3 from Christian Boltz
So I ran aa-logprof and got a new profile for usr.lib.dovecot.script-login, not for /usr/local/bin/dovecot-postlogin.sh. Did you mix up the two?
Indeed - I focused too much on what you wrote, and not enough on reading the audit.log message ;-) This also somewhat changes my opinion to mark this as wontfix - it might become a "partial fix". Executing /usr/lib/dovecot/script-login from dovecot {c,sh}ould be allowed in the profile, but the profile for script-login will obviously have to stay incomplete because everybody will run a different script. So - if you have created separate profiles for /usr/lib/dovecot/script-login and your actual post-login script, I'd be interested to see them.
Besides that, running aa-complain wasn't necessary, aa-logprof already has set the flag.
Nevertheless, you should switch the profile to enforce mode.
Thx for pointing me into the right direction!
You are welcome ;-) -- You are receiving this mail because: You are on the CC list for the bug.