I am new to AppArmor and trying to work out how to configure it for the dovecot-lda. I need to do this as I am using filtering and vacation responses in Dovecot and apparmor is blocking two in two ways:
-
It blocks access to /home//.dovecot.lda-dupes .dovecot.lda-dupes.lock .dovecot.sieve.log .dovecot.svbin with permission denied.
-
It blocks /usr/sbin/postdrop from executing again with permission denied.
Disabling apparmor completely fixes it but I now feel I want to keep apparmor active.
Re enabling apparmor and moving /usr/lib/dovecot/dovecot-lda from ‘enforce’ to ‘complain’ did not prevent the failures.
I also found a suggestion on the web that the following should be put into /etc/apparmor.d/local/usr.lib.dovecot.lmtp:
#include <abstractions/postfix-common>
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
owner /home/*/.dovecot.lda-dupes rw,
owner /home/*/.dovecot.lda-dupes.lock rw,
owner /home/*/.dovecot.sieve.log rw,
owner /home/*/.dovecot.svbin* rw,
owner /var/spool/postfix/maildrop/* rw,
This also did not help and the errors continued (note: I had to comment out the “/usr/sbin/sendmail mrix” as this caused apparmor to error out.
Going through the audit logs in YaST apparmor has seen the accesses to the home directory but not seen the sendmail/postdrop access blocks.
I have not used YaST to update the profile until I know what I am doing and have simply now disabled dovecot-lda via aa-disable and for the time being all is working well.
My question is. How should I be going about fixing this correctly? Should I be using YaST but it’s not picking up all the problems or should I be editing either the profile or the local profile?
Thanks for any help or pointers on this.