Missing permissions

Andrei Petru Mura mapandrei at gmail.com
Sat Apr 11 14:00:49 EEST 2020


Hi,

After configuring systemd unit with ReadWritePaths=/home/mail, I get the
following error logs in audit:
type=AVC msg=audit(1586604621.637:6736): avc:  denied  { write } for
 pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83
success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
type=AVC msg=audit(1586604621.638:6737): avc:  denied  { write } for
 pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21
success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"

I have SELinux enabled, on CentOS.
If I run:
audit2why < /var/log/audit/audit.log

I get:
type=AVC msg=audit(1586601301.044:6707): avc:  denied  { write } for
 pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0

Was caused by:
Missing type enforcement (TE) allow rule.

I think it's important to know that I'm trying to use dovecot with virtual
users. If I try to configure it with PAM authentication using system users,
it works well.

Any suggestions on this?

Mura Andrei

On Sat, Apr 11, 2020 at 10:02 AM Andrei Petru Mura <mapandrei at gmail.com>
wrote:

> I think I found here what I'm interested in:
> https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/.
>
> On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura <mapandrei at gmail.com>
> wrote:
>
>> Hi Aki,
>>
>> Thanks. I was especially interested in documentation related to dovecot
>> and it's users permissions, the way in which dovecot uses users. Till now I
>> found only spread information on different articles from dovecot's website.
>>
>> Thanks,
>> Mura Andrei
>>
>> On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi <aki.tuomi at open-xchange.com>
>> wrote:
>>
>>> Hi,
>>>
>>>
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
>>>
>>> although we probably need to add some words into doc.dovecot.org under
>>> known issues.
>>>
>>> Aki
>>>
>>> > On 11/04/2020 09:24 Andrei Petru Mura <mapandrei at gmail.com> wrote:
>>> >
>>> >
>>> > Hi Aki,
>>> >
>>> > Any documentation on this topic?
>>> >
>>> > Mura Andrei
>>> >
>>> >
>>> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi <aki.tuomi at open-xchange.com>
>>> wrote:
>>> > > This is probably caused by systemd (or selinux or both).
>>> > >
>>> > >  With systemd, you need to add
>>> > >
>>> > >  ReadWritePaths=/home/mail
>>> > >
>>> > >  to the systemd unit.
>>> > >
>>> > >  Then you can check /var/log/audit/audit.log for any selinux
>>> specific problems. If you are using Centos/Redhat.
>>> > >
>>> > >  Aki
>>> > >
>>> > >  > On 06/04/2020 17:01 Andrei Petru Mura <mapandrei at gmail.com>
>>> wrote:
>>> > >  >
>>> > >  >
>>> > >  > Hi,
>>> > >  >
>>> > >  > Dovecot version 2.2.36
>>> > >  > In log files I get this error:
>>> > >  > dovecot: imap(test): Namespace '':
>>> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied
>>> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX
>>> perms appear ok (ACL/MAC wrong?))
>>> > >  >
>>> > >  > My authentication configuration is this:
>>> > >  > passdb {
>>> > >  > driver = passwd-file
>>> > >  > args = username_format=%n /etc/dovecot/users
>>> > >  > }
>>> > >  >
>>> > >  > userdb {
>>> > >  > driver = static
>>> > >  > args = uid=vmail gid=vmail home=/home/mail/domain/%n
>>> username_format=%n /etc/dovecot/users
>>> > >  >
>>> > >  > }
>>> > >  >
>>> > >  > /home/mail/domain/test directory is owned by vmail user.
>>> > >  > How to fix this?
>>> > >  >
>>> > >  > Mura Andrei
>>> > >
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200411/c666d3da/attachment.html>


More information about the dovecot mailing list