Dovecot lxc apparmor denied (Buster)

Did you tried with the unconfined AppArmor value ?

lxc.apparmor.profile: unconfined

Set it into your /etc/pve/lxc/CTID.conf

Updating the service unit to avoid PrivateTmp doesn't work in LXC unfortunately without granting the necessary privileges via AppArmor on the host.

After exploring the options it seems there's no longer a way to make this work from purely within the container.

To make it work I removed all edits in the container (so got rid of the PrivateTmp config) and moved to modifying the AppArmor policies as follows:

1. On the host, create a new AppArmor policy at /etc/apparmor.d/lxc/lxc-dovecot and populate it with the following:

   # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
   # will source all profiles under /etc/apparmor.d/lxc
   profile lxc-container-dovecot flags=(attach_disconnected,mediate_deleted) {
     #include <abstractions/lxc/container-base>
     #include <abstractions/lxc/start-container>
     deny mount fstype=devpts,
     mount fstype=cgroup -> /sys/fs/cgroup/**,
     mount fstype=cgroup2 -> /sys/fs/cgroup/**,
     mount options=(rw,bind),
     mount options=(rw,rbind),
     mount options=(rw,rshared),
     mount options=(ro,nosuid,noexec,remount,bind,strictatime),
   }
   

2. Reload AppArmor with

   $ systemctl restart apparmor.service
   

3. Set the container to use the new profile by adding the following line to your LXC container config, typically at /var/lib/lxc/$container/config:

   # Add or edit the following line to set the apparmor profile used
   lxc.apparmor.profile = lxc-container-dovecot
   

4. Restart your container:

   $ lxc-stop -n $container && sleep 1 && lxc-start -d -n $container