Hi Alex,
I don't know anything about SELinux, beyond that it's a pain to work with and causes all kinds of funky issues. Make sure you turn on verbose logging with SELinux so that you can see all that it's doing, but honestly, I cannot help you much more.
John
just for completeness, here are the additional policies to SELinux that I had enabled (prior to semanage permissive -a dovecot_auth_t):
#============= dovecot_auth_t ==============
#!!!! This avc is allowed in the current policy allow dovecot_auth_t dovecot_t:tcp_socket { accept getattr };
#!!!! This avc is allowed in the current policy allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
With these, I do not see any avc in audit.log, but see the core dump.
Best regards Alex
On Mon, 2023-11-20 at 08:47 +0100, Alexander Vogt wrote:
Hi John,
thanks - yes, this is a new setup (I am migrating to CentOS 9). SELinux is enabled, but audit.log does not show an AVC. However, I ran
semanage permissive -a dovecot_t
and I am now able to dump the core. It is attached. With
semanage permissive -a dovecot_auth_t
auth seems to work. Now that it is established that the issue is due to SELinux, I need to figure out how to solve it. SELinux was one of the key motivations for the migration :) Could you see what is going on from the dump?
Best regards Alex
On Sun, 2023-11-19 at 20:39 -0500, John Stoffel wrote:
> > "Alexander" == Alexander Vogt via dovecot dovecot@dovecot.org writes:
Is this a new setup? Do you have SELinux enabled? Or are you doing chroot'd setup? If so, back it all off one by one and see what's going on. The fact that you can't dump core because you can't write somewhere tells me that your systems is locked down really hard in some manner.
The fd not supporting epoll() is also suspect to me. Can you give more details on your system setup? Do you have apparmor turned on? Have you looked in your system logs as well?
John
dovecot auth service is failing when using an inet_service. The configuration is essentially:
service auth { inet_listener { address = * port = 12345 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } }
When I connect to port 12345 (real IMAP client or telnet doesn't make a difference), the auth service crashes.
Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Panic: epoll_ctl(add, 13) failed: Operation not permitted (fd doesn't support epoll) Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x46) [0x7f9319f89486] -> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x22) [0x7f9319f895a2] -> /usr/lib64/dovecot/libdovecot.so.0(+0x10a41b) [0x7f9319f9841b] -> /usr/lib64/dovecot/libdovecot.so.0(+0x10a4b7) [0x7f9319f984b7] -> /usr/lib64/dovecot/libdovecot.so.0(+0x5d11a) [0x7f9319eeb11a] -> /usr/lib64/dovecot/libdovecot.so.0(+0x609b0) [0x7f9319eee9b0] -> /usr/lib64/dovecot/libdovecot.so.0(+0x1215ba) [0x7f9319faf5ba] -> /usr/lib64/dovecot/libdovecot.so.0(io_add_to+0x1d) [0x7f9319faf62d] -> /usr/lib64/dovecot/libdovecot.so.0(io_add+0x28) [0x7f9319faf668] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_io_listeners_add+0x8a ) [0x7f9319f1d16a] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_init_finish+0xff) [0x7f9319f24bdf] -> dovecot/auth(main+0x389) [0x55745603a4f9] -> /lib64/libc.so.6(+0x3feb0) [0x7f931963feb0] -> /lib64/libc.so.6(__libc_start_main+0x80) [0x7f931963ff60] -> dovecot/auth(_start+0x25) [0x55745603a715]
System info (sysreport attached): # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.14.0-383.el9.x86_64 x86_64 CentOS Stream release 9
This exact configuration is known to work on this system: # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967)
I tried for almost two hours to get a core dump for this, but finally gave up. I followed https://www.dovecot.org/bugreport-mail/#coredumps and other sources but the best I could get was
Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Fatal: master: service(auth): child 7198 killed with signal 6 (core not dumped - https://dovecot.org/bugreport.html#coredumps - core wasn't writable?)
for
cat /proc/sys/kernel/core_pattern /tmp/core.%e.%p
(which is 1777).
Any help to get this resolved would be much appreciated! Thanks and best regards Alex [DELETED ATTACHMENT dovecot-sysreport-imap.linexus.de-1700427979.tar.gz, application/x-compressed-tar]
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org