The apparmor-profiles for dovecot contain policies for files in /usr/lib, but dovecot installs a couple of them to /usr/libexec instead. This means dovecot breaks with apparmor. Reproducible: Always Steps to Reproduce: 1. Install and activate apparmor 2. Try to run dovecot 3. systemctl status dovecot and syslog show permission errors Actual Results: service does not work due to denied permission because of wrong paths Expected Results: The apparmor configuration should match the dovecot installation or vice versa. There is an upstream fix from 4 months ago that did not make it into Gentoo yet: https://gitlab.com/apparmor/apparmor/-/commit/37ffc6eac80e174cb3f7613d9931e9ea38643f6e It basically sets the path to /usr/lib*/ to match both possible paths because distros use them both. This commit is included in apparmor-profiles tagged v4.0.0-alpha2 and newer which is not available on Gentoo. The Gentoo fork of apparmor's git master branch can be installed via the 9999-ebuild with -vanilla flag but it has not merged this upstream commit, so it breaks too. Installing the 9999 build with vanilla flag installs the real upstream master branch but that one fails to be parsed by apparmor on Gentoo. Cherry-picking that commit from above fixes the issue: I downloaded the patch from gitlab and applied it with git apply -p2 dovecot.patch, restarted apparmor and dovecot and now dovecot runs.
ah, and while at it, we should add the following, otherwise dovecot cannot access maildirs properly: --- a/apparmor.d/local/usr.lib.dovecot.auth +++ b/apparmor.d/local/usr.lib.dovecot.auth @@ -1 +1,3 @@ # Site-specific additions and overrides for 'usr.lib.dovecot.auth' +/run/faillock/ rw, +/run/faillock/* rw, diff --git a/apparmor.d/local/usr.lib.dovecot.imap b/apparmor.d/local/usr.lib.dovecot.imap index 24ca5e9..edb24ea 100644 --- a/apparmor.d/local/usr.lib.dovecot.imap +++ b/apparmor.d/local/usr.lib.dovecot.imap @@ -1 +1,4 @@ # Site-specific additions and overrides for 'usr.lib.dovecot.imap' + +/home/*/.maildir/ rw, +/home/*/.maildir/** rwlk,