Hi Aki,

You did a great job. God bless you! :)
I think it will work now. I'll come with feedback if that's the case after applying this on my server. I just want to mention one little thing bellow (which possibly has some importance).
In my system, instead of /home/mail/domain/test/Maildir, I have /some_other_custom_dir/mail/my_domain_name/test/Maildir/. From dovecot_selinux's man page I can see that mail_home_rw_t directories are: 
            /root/Maildir(/.*)?
            /root/.esmtp_queue(/.*)?
            /home/[^/]+/.maildir(/.*)?
            /home/[^/]+/Maildir(/.*)?
            /home/[^/]+/.esmtp_queue(/.*)?
which anyway, seems to me, doesn't match the initial directory path which I provided (it's the first time when I knowledgeably interact with SELinux).
I think this shouldn't impact the documented issue, but if you think it does, I wanted to inform you.

Thanks and have a nice day,
Mura Andrei

On Sun, Apr 12, 2020 at 10:52 PM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:

> On 11/04/2020 15:57 Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
>
>
>
>
> > On 11/04/2020 15:47 Alex JOST < jost+lists@dimejo.at> wrote:
> >
> >
> >
> >
> > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
> > > Hi,
> > >
> > >
> > > After configuring systemd unit with ReadWritePaths=/home/mail, I get the
> > > following error logs in audit:
> > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
> > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83
> > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8
> > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
> > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
> > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
> > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21
> > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe
> > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
> > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
> > >
> > >
> > > I have SELinux enabled, on CentOS.
> > > If I run:
> > > audit2why < /var/log/audit/audit.log
> > >
> > >
> > > I get:
> > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
> > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > >
> > >
> > > Was caused by:
> > > Missing type enforcement (TE) allow rule.
> > >
> > >
> > > I think it's important to know that I'm trying to use dovecot with virtual
> > > users. If I try to configure it with PAM authentication using system users,
> > > it works well.
> > >
> > >
> > > Any suggestions on this?
> > Looks like /home/mail as mail store isn't included in the default
> > SELinux policy. Did you make sure that the correct SELinux type is set
> > on the directories?
> > https://www.unix.com/man-page/centos/8/dovecot_selinux/
> >
> >
> >
> >
> > If this isn't enough to get you going you might need to create your own
> > policy. The following steps should be all that it takes to create your
> > own policy.
> >
> >
> > Check that grep includes only lines that you want included in your new
> > policy:
> > grep dovecot /var/log/audit/audit.log | audit2allow -w
> >
> >
> > Create your new policy for Dovecot and install it:
> > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
> > semodule -i dovecot_custom.pp
> >
> >
> > --
> > Alex JOST
>
>
>
>
> Or just label the directory with mail_home_rw_t
>
>
> ---
> Aki Tuomi
>

I took the time to document suitable approach to this problem. You can check it here https://github.com/dovecot/documentation/pull/63/files

Aki