Hi,
After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit: type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21 success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
I have SELinux enabled, on CentOS. If I run: audit2why < /var/log/audit/audit.log
I get: type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
Was caused by: Missing type enforcement (TE) allow rule.
I think it's important to know that I'm trying to use dovecot with virtual users. If I try to configure it with PAM authentication using system users, it works well.
Any suggestions on this?
Mura Andrei
On Sat, Apr 11, 2020 at 10:02 AM Andrei Petru Mura <mapandrei@gmail.com> wrote:
I think I found here what I'm interested in: https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/.
On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura <mapandrei@gmail.com> wrote:
Hi Aki,
Thanks. I was especially interested in documentation related to dovecot and it's users permissions, the way in which dovecot uses users. Till now I found only spread information on different articles from dovecot's website.
Thanks, Mura Andrei
On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
Hi,
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWrite...
although we probably need to add some words into doc.dovecot.org under known issues.
Aki
On 11/04/2020 09:24 Andrei Petru Mura <mapandrei@gmail.com> wrote:
Hi Aki,
Any documentation on this topic?
Mura Andrei
This is probably caused by systemd (or selinux or both).
With systemd, you need to add
ReadWritePaths=/home/mail
to the systemd unit.
Then you can check /var/log/audit/audit.log for any selinux specific problems. If you are using Centos/Redhat.
Aki
On 06/04/2020 17:01 Andrei Petru Mura <mapandrei@gmail.com> wrote:
Hi,
Dovecot version 2.2.36 In log files I get this error: dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir) failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX
On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi <aki.tuomi@open-xchange.com> wrote: perms appear ok (ACL/MAC wrong?))
My authentication configuration is this: passdb { driver = passwd-file args = username_format=%n /etc/dovecot/users }
userdb { driver = static args = uid=vmail gid=vmail home=/home/mail/domain/%n
username_format=%n /etc/dovecot/users
}
/home/mail/domain/test directory is owned by vmail user. How to fix this?
Mura Andrei