Dovecot pigeon/sieve and SELinux

21 Jul 2023

      Hi all,
I am in the process of migrating a dovecot installation from RHEL8 to RHEL9, this time round I am trying to get everything to work in selinux enforcing mode.
First error I am stuck on is as follows:
Error: sieve: file storage: Failed to stat sieve storage path: stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied (euid=377(vmail) egid=376(vmail) missing +x perm: /var/lib/dovecot, we're not in group 97(dovecot), dir owned by 97:97 mode=0750)
It appears that the vmail user cannot access /var/lib/dovecot, because under RHEL9 the permissions are hidden to the world.
[root@seawitch dovecot]# ls -al /var/lib/dovecot
total 12
drwxr-x---.  3 dovecot dovecot   36 Jul 21 17:51 .
Am I correct in interpreting the error message as meaning that /var/lib/dovecot/sieve is not a correct directory for global sieve scripts, and they need to go somewhere else?
If they do need to go somewhere else, in the world of enforcing selinux, where do they go?
While dovecot-selinux is documented, sieve is not mentioned:
https://linux.die.net/man/8/dovecot_selinux
So, let’s work around the above error by adding the vmail user to the dovvecot group. Is this even a good idea?
/usr/sbin/usermod -a -G dovecot vmail
Now we hit the next error:
Error: sieve: file storage: Failed to stat sieve storage path: stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied (euid=380(vmail) egid=378(vmail) missing +w perm: /var/lib/dovecot/sieve/vacation.sieve stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied, dir owned by 0:0 mode=0755)
This error is weird. Dovecot is trying to open the original vacation.sieve source file for write - why?
We have pre-compiled all the global sieve scripts:
[root@marcopolo ~]# ls -al /var/lib/dovecot/sieve/
total 36
drwxr-xr-x. 5 root    root    4096 Jul 21 17:29 .
drwxr-x---. 3 dovecot dovecot   36 Jul 21 17:29 ..
-rwxr-xr-x. 1 root    root     284 Jul 21 08:47 junk.sieve
-rw-r--r--. 1 root    root     277 Jul 21 17:29 junk.svbin
-rwxr-xr-x. 1 root    root     316 Jul 21 08:47 report-ham.sieve
-rw-r--r--. 1 root    root     476 Jul 21 17:29 report-ham.svbin
-rwxr-xr-x. 1 root    root     201 Jul 21 08:47 report-spam.sieve
-rw-r--r--. 1 root    root     382 Jul 21 17:29 report-spam.svbin
drwxr-xr-x. 2 root    root       6 Jul 21 08:47 sieve-execute
drwxr-xr-x. 2 root    root       6 Jul 21 08:47 sieve-filter
drwxr-xr-x. 2 root    root       6 Jul 21 08:47 sieve-pipe
-rwxr-xr-x. 1 root    root     309 Jul 21 08:47 vacation.sieve
-rw-r--r--. 1 root    root     558 Jul 21 17:29 vacation.svbin
Is the error perhaps inaccurate, and it’s trying to open a temp file for write, failing (correctly, it has no business opening a temp file for write at this point), and then claiming the failure on the temp file is a failure on the source file?
So to sum up:

In an SELinux world of Redhat, what directory do global sieve scripts go?
What permissions and selinux context are required on the global sieve scripts directory?

Regards,
Graham
—

Graham Leggett

tags

participants (1)