Managesieve cannot access script store

dovelist dovelist at tesla.demon.nl
Fri Feb 10 16:05:15 UTC 2017 

Hi Stephan,

> Normally, Dovecot permission errors are more helpful than that. So, 
> this
> error message in itself is a bit of a bug:

I'm glad to h've been able to help with this beta-test ;-)


> About the cause of this error: keep in mind that the whole directory
> path needs read/execute permission, not only the leaf directory.

Have checked. They are...


> You could try a command other than LISTSCRIPTS in your manual debugging
> efforts. That should take a different code path that provides a more
> detailed error.

I tried:

PUTSCRIPT "hutsefluts" {6+}
keep;

Gives the same result:

Feb 10 15:43:26 p150 dovecot[2042]: managesieve(rogier): Error: sieve: 
file storage: save: 
open(/home/rogier/sieve/tmp/hutsefluts_1486737806.M728733P6414.p150.sieve) 
failed: Permission denied

I have put a script named "std.sieve" in the sieve directory manually. 
Then the GETSCRIPT command gives some more information:

Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Debug: sieve: 
file script: Opened script `std' from `/home/rogier/sieve/std.sieve'
Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Error: sieve: 
file script: Failed to open sieve script: 
open(/home/rogier/sieve/std.sieve) failed: Permission denied 
(euid=1000(rogier) egid=100(users) UNIX perms appear ok (ACL/MAC 
wrong?))


So the UNIX permissions seem not to be the problem. The mentioning of 
ACL made me look into the audit.log. There I found this:

type=AVC msg=audit(1486738207.203:354): apparmor="DENIED" 
operation="open" profile="/usr/lib/dovecot/managesieve" 
name="/home/rogier/sieve/std.sieve" pid=6414 comm="managesieve" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1486738207.203:354): arch=c000003e syscall=2 
success=no exit=-13 a0=55e8920917d8 a1=0 a2=7fff73b41a14 
a3=65766569732f7265 items=0 ppid=1861 pid=6414 auid=429
4967295 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 
sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="managesieve" 
exe="/usr/lib/dovecot/managesieve" key=(null)
type=UNKNOWN[1327] msg=audit(1486738207.203:354): 
proctitle="dovecot/managesieve"

Looks like AppArmor says NO...
Does the apparmor profile for managesieve account for this or any other 
script store location?
Or is the user expected to tweak apparmor profiles in such cases? Then I 
have to figure out how...

Regards,
Rogier

More information about the dovecot mailing list