[Dovecot] Dovecot + SELinux permission problems

[Johnny]

Jan-Frode Myklebust <janfrode at tanso.net> writes:

> On Sun, Jun 23, 2013 at 04:21:17PM +0100, Johnny wrote:
>> 
>> I had thought SELinux would log something, but /var/log/audit/audit.log
>> is blank...
>
> Are you running auditd? I believe that if you're not running auditd, the
> denials should be logged to the kernel ring buffer.

It seems auditd is not running and not happy to start;

,---- systemctl status auditd.service
|   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
|   Active: failed (Result: exit-code) since Mon, 24 Jun 2013 04:28:28 +0100; 6s ago
|  Process: 5139 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
|  Process: 5136 ExecStart=/sbin/auditd -n (code=exited, status=6)
|   CGroup: name=systemd:/system/auditd.service
`----

> Does "dmesg" show any denials ?
Nope, all it shows is turning on/off SELinux (I tried accessing the mail
prior and post changing SElinux status)
,----
| [  767.835481] type=1404 audit(1372044152.923:10): enforcing=0 old_enforcing=1 auid=1000 ses=1
| [  777.110187] type=1404 audit(1372044162.218:11): enforcing=1 old_enforcing=0 auid=1000 ses=1
`----

> Likely dovecot doesn't have access user_home_dir_t/user_home_t. Is all
> users maildirs below /home/user/data1/Maildir/ ? 

All users maildirs are under the same location, e.g.
,---- ls -Z
| drwx------. user user system_u:object_r:mnt_t:s0       mailaccountA
| drwx------. user user system_u:object_r:mnt_t:s0       mailaccountB
| drwx------. user user unconfined_u:object_r:mnt_t:s0   mailaccountC
| drwx------. user user unconfined_u:object_r:mnt_t:s0   mailaccountD
`----

> If so, you can probably fix this by creating a labeling rule for this,
> and re-label everything below this directory:
>
> 	semanage fcontext -a -t mail_spool_t "/home/user/data1/Maildir(/.*)?"
> 	restorecon -R /home/user/data1/Maildir

No luck with using this.

I will look into this more tomorrow and hopefully locate some logs. 


-- 
Johnny