From 2202a8a267111266b74a7c9fd4bbc89a5f334d6a Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Thu, 6 Dec 2018 18:12:25 +0100 Subject: [PATCH] dovecot: allow reading /proc/sys/fs/suid_dumpable This is needed if a dovecot child process segfaults - in this case, dovecot provides a helpful error message like dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2) which involves reading the current value in suid_dumpable. --- profiles/apparmor.d/usr.sbin.dovecot | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot index 579b3100a..8eced4a64 100644 --- a/profiles/apparmor.d/usr.sbin.dovecot +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -38,6 +38,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) { /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, + @{PROC}/sys/fs/suid_dumpable r, /usr/bin/doveconf rix, /usr/lib/dovecot/anvil mrPx, /usr/lib/dovecot/auth mrPx,