Andreas fixed that in 2.4.49+dfsg-2ubuntu1 [Focal] which started to have profile in openldap and include ssl_cert which (as Christian Bolz outlined above) do include those paths.
# grep ssl_c /etc/apparmor.d/usr.sbin.slapd #include <abstractions/ssl_certs> # grep enc /etc/apparmor.d/abstractions/ssl_certs /etc/letsencrypt/archive/*/cert*.pem r, /etc/letsencrypt/archive/*/chain*.pem r, /etc/letsencrypt/archive/*/fullchain*.pem r, Fixed Focal onwads, and since users can modify the local overrides if needed I'm not sure how important an SRU of the same is (changing isolation in SRUs is discouraged AFAIK). ** Changed in: openldap (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1805178 Title: Apparmor should include letsencrypt directory for Slapd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1805178/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs