dovecot permission denied while trying to read subscriptions file and lock files

I want to post this so that in 6 months when I have the problem again, I can find it easily.

Here’s the sitch. I used Yast to update my LEAP 42.3 server (Yes I know 15 is out, but I’m waiting) Anyway, updated using Yast and then all of a sudden my dovecot stopped working. NOPERM errors in outlook, turned on debugging dovecot and saw:

imap(nick@xxxxxx): Error: open() failed with subscription file /srv/maildirs/xxxxxxxx/nick/subscriptions: Permission denied

though, pshaw, who needs a subscriptions file, I’ll just delete it.
Well that fixed the subscriptions file but then

imap(nick@xxxxxx): Debug: INBOX: Mailbox opened because: SELECT
imap(nick@xxxxxx): Error: open(/srv/maildirs/xxxxxx/nick/dovecot.index.log) failed: Permission denied (euid=303(vmail) egid=303(vmail) UNIX perms appear ok (ACL/MAC wrong?))
imap(nick@xxxxxx): Error: file_dotlock_create(/srv/maildirs/xxxxxx/nick/dovecot-uidlist) failed: Permission denied (euid=303(vmail) egid=303(vmail) UNIX perms appear ok (ACL/MAC wrong?))
imap(nick@xxxxxx): Error: open(/srv/maildirs/xxxxxx/nick/dovecot-uidlist) failed: Permission denied

I don’t use ACLs. Permissions are fine. What is going on? google google google. I find an article with a similar issue and it talkes about selinux getting in the way. Humm I don’t use selinux. OH AppArmor!!! I hate apparmor, always getting in the way. So I never install it. So a quck systemctl status apparmor and the **** thing is no only installed, it’s enabled, and running. systemctl stop apparmor. BINGO everything works again.

Worst possible solution you can take is disabling one of the best security features of the OS especially when it comes to an internet enabled service.

Right solution would have been to look at the apparmor configuration module and enable reading/writing to the specific files and folders. I hope no one takes your advice on this.