The logs are quite large... Here are the lines (only from the last minute) without any "//null-*" in the profile name:
Aug 29 08:50:02 laptop kernel: audit_printk_skb: 1218 callbacks suppressed Aug 29 08:50:07 laptop audit[27369]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27369 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 29 08:50:07 laptop kernel: audit_printk_skb: 1218 callbacks suppressed Aug 29 08:50:07 laptop kernel: audit: type=1400 audit(1472453407.705:1841571): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27369 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 29 08:50:20 laptop kernel: audit_printk_skb: 5283 callbacks suppressed Aug 29 08:50:30 laptop kernel: audit_printk_skb: 1218 callbacks suppressed Aug 29 08:50:33 laptop audit[27535]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27535 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 29 08:50:40 laptop kernel: audit_printk_skb: 5280 callbacks suppressed Aug 29 08:50:51 laptop kernel: audit_printk_skb: 1218 callbacks suppressed Aug 29 08:50:58 laptop audit[27574]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27574 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 29 08:50:58 laptop kernel: audit_printk_skb: 1218 callbacks suppressed Aug 29 08:50:58 laptop kernel: audit: type=1400 audit(1472453458.689:1846360): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/etc/ld.so.preload" pid=27574 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 On 2016-08-28 20:46+0200, Christian Boltz wrote: > Hello, > > Am Sonntag, 28. August 2016, 18:49:15 CEST schrieb Félix Sipma: >> Aug 28 18:42:04 laptop audit[8899]: AVC apparmor="ALLOWED" >> operation="getattr" profile="/usr/lib/dovecot/imap//null-8b//null-8c" >> name="/home/user/mail/dovecot.index.log" pid=8899 comm="imap" >> requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > > This (especially the "//null-*" child profiles [1]) means you'll need > aditional exec rules. > > To find out what exactly gets executed, can you please post a bigger > section of your audit log, or even the full log? I'm especially looking > for a line with > operation="exec" profile="/usr/lib/dovecot/imap" > (without any "//null-*" in the profile name) > > Note that there are two exec levels involved, so we might need to add > more than one an exec rule. This also means that posting your full audit > log (or at least everything dovecot-related after the exec event > described above) can avoid an additional round of updating the profile > and sending fresh logs ;-) > > Regards, > > Christian Boltz > > [1] null-* are temporary profiles for execs that are not permitted in the > profile yet (and will obviously only be created for profiles in > complain mode - in enforce mode, unknown execs gets denied)
signature.asc
Description: PGP signature
