[Dovecot] Dovecot + SELinux permission problems
Hi,
I have set-up dovecot on a F17 box and am encountering weirdnesses with SELinux (who isn't??). Again, I am trying to refrain from disabling SWLinux all together, however tempting, but am stuck in troubleshooting and hope for some ideas...
With SELinux set to permissive, I can connect to dovecot and log in to access my mail as expected.
With SELinux enforcing, I can connect to dovecot, but cannot login to access mail. The log states
,---- log_path = /var/log/dovecot (set in 10-logging.conf)
| Jun 23 15:43:58 imap-login: Info: Login: user=<johndoe>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=15189, secured, session=
Only thing I can grasp is *write permission* error. ls -l on the Maildirs shows this should not be the case for uid 1000.
,---- ls -l | drwxrwxr-x. 11 user user 4096 Jul 8 2012 Maildir | \> drwx------. 19 user user 4096 Feb 5 09:04 johndoe `----
I have no idea what the server log is referring to, in the debug log I get
,---- debug_log_path = /var/log/dovecot_debug (set in 10-logging.conf) | Jun 23 15:43:58 imap: Debug: Added userdb setting: mail=maildir:~/johndoe | Jun 23 15:43:58 imap(johndoe): Debug: Effective uid=1000, gid=1000, home=/home/user/data1/Maildir/ | Jun 23 15:43:58 imap(johndoe): Debug: Namespace inbox: type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/johndoe | Jun 23 15:43:58 imap(johndoe): Debug: maildir++: root=/home/user/data1/Maildir//johndoe, index=, control=, inbox=/home/user/data1/Maildir//johndoe, alt= `----
I had thought SELinux would log something, but /var/log/audit/audit.log is blank...
Where to go from here?? Any ideas appreciated...
-- Johnny
On Sun, Jun 23, 2013 at 04:21:17PM +0100, Johnny wrote:
I had thought SELinux would log something, but /var/log/audit/audit.log is blank...
Are you running auditd? I believe that if you're not running auditd, the denials should be logged to the kernel ring buffer. Does "dmesg" show any denials ?
Likely dovecot doesn't have access user_home_dir_t/user_home_t. Is all users maildirs below /home/user/data1/Maildir/ ? If so, you can probably fix this by creating a labeling rule for this, and re-label everything below this directory:
semanage fcontext -a -t mail_spool_t "/home/user/data1/Maildir(/.*)?"
restorecon -R /home/user/data1/Maildir-jf
Jan-Frode Myklebust janfrode@tanso.net writes:
On Sun, Jun 23, 2013 at 04:21:17PM +0100, Johnny wrote:
I had thought SELinux would log something, but /var/log/audit/audit.log is blank...
Are you running auditd? I believe that if you're not running auditd, the denials should be logged to the kernel ring buffer.
It seems auditd is not running and not happy to start;
,---- systemctl status auditd.service | Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) | Active: failed (Result: exit-code) since Mon, 24 Jun 2013 04:28:28 +0100; 6s ago | Process: 5139 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) | Process: 5136 ExecStart=/sbin/auditd -n (code=exited, status=6) | CGroup: name=systemd:/system/auditd.service `----
Does "dmesg" show any denials ? Nope, all it shows is turning on/off SELinux (I tried accessing the mail prior and post changing SElinux status) ,---- | [ 767.835481] type=1404 audit(1372044152.923:10): enforcing=0 old_enforcing=1 auid=1000 ses=1 | [ 777.110187] type=1404 audit(1372044162.218:11): enforcing=1 old_enforcing=0 auid=1000 ses=1 `----
Likely dovecot doesn't have access user_home_dir_t/user_home_t. Is all users maildirs below /home/user/data1/Maildir/ ?
All users maildirs are under the same location, e.g. ,---- ls -Z | drwx------. user user system_u:object_r:mnt_t:s0 mailaccountA | drwx------. user user system_u:object_r:mnt_t:s0 mailaccountB | drwx------. user user unconfined_u:object_r:mnt_t:s0 mailaccountC | drwx------. user user unconfined_u:object_r:mnt_t:s0 mailaccountD `----
If so, you can probably fix this by creating a labeling rule for this, and re-label everything below this directory:
semanage fcontext -a -t mail_spool_t "/home/user/data1/Maildir(/.*)?" restorecon -R /home/user/data1/Maildir
No luck with using this.
I will look into this more tomorrow and hopefully locate some logs.
-- Johnny
participants (2)
-
Jan-Frode Myklebust
-
Johnny