[Dovecot] Permissions errors while reading messages via IMAP

Geoff Sweet geoff.sweet at wemadeusa.com
Thu Dec 24 03:27:56 EET 2009 

Appears to be an SELinux issue.  I checked it out with audit2allow and discovered several items that needed tweaking.  Here is the result of my te file:

# cat DovecotDelivery.te

module DovecotDelivery 1.0;

require {
	type sysadm_passwd_t;
	type postfix_spool_t;
	type user_home_dir_t;
	type dovecot_auth_t;
	type user_home_t;
	type var_spool_t;
	type dovecot_t;
	type mysqld_etc_t;
	type dovecot_var_run_t;
	type mysqld_port_t;
	type system_mail_t;
	class process setcap;
	class tcp_socket name_connect;
	class dir { search setattr };
	class file { rename execute read lock write getattr unlink };
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t mysqld_etc_t:file { read getattr };
allow dovecot_auth_t mysqld_port_t:tcp_socket name_connect;

#============= dovecot_t ==============
allow dovecot_t dovecot_var_run_t:dir setattr;
allow dovecot_t self:process setcap;
allow dovecot_t user_home_dir_t:file { rename write getattr read lock unlink };

#============= sysadm_passwd_t ==============
allow sysadm_passwd_t postfix_spool_t:dir search;
allow sysadm_passwd_t var_spool_t:dir search;

#============= system_mail_t ==============
allow system_mail_t user_home_t:file execute;


Some of that is left over from a previous attempt to get this working.  It all seems to be fine once I load that module.

-Geoff
________________________________________
From: Timo Sirainen [tss at iki.fi]
Sent: Wednesday, December 23, 2009 1:26 PM
To: Geoff Sweet
Cc: dovecot at dovecot.org
Subject: Re: [Dovecot] Permissions errors while reading messages via IMAP

On Wed, 2009-12-23 at 13:13 -0800, Geoff Sweet wrote:
> and as you can see, the files in the delivery location have the correct permissions for being delivered by user "vmail":
> # ls -la
> total 64
> -rw------- 1 vmail vmail  572 Dec 23 11:51 dovecot.index.log

What about this:

> Dec 23 12:08:49 mail1 dovecot: IMAP(geoff.sweet at test.com):
> open(/home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log)
> failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing
> +r perm: /home/vmail/test.com/geoff.sweet/Maildir/dovecot.index.log)

Is that file also owned by vmail:vmail? The error message shows that
vmail user doesn't have read access to the file. If that file is also
owned by vmail, I have only two ideas:

a) You have multiple vmail users. See that ls -ln shows the uids to be
actually 5000 and not something else.

b) SELinux or something similar is preventing the access to the files.

More information about the dovecot mailing list