Missing permissions
Alex JOST
jost+lists at dimejo.at
Sat Apr 11 15:47:29 EEST 2020
Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
> Hi,
>
> After configuring systemd unit with ReadWritePaths=/home/mail, I get the
> following error logs in audit:
> type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
> pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> scontext=system_u:system_r:dovecot_t:s0
> tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83
> success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8
> items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
> suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> subj=system_u:system_r:dovecot_t:s0 key=(null)
> type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
> type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
> pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> scontext=system_u:system_r:dovecot_t:s0
> tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21
> success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe
> items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
> suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> subj=system_u:system_r:dovecot_t:s0 key=(null)
> type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
>
> I have SELinux enabled, on CentOS.
> If I run:
> audit2why < /var/log/audit/audit.log
>
> I get:
> type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
> pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> scontext=system_u:system_r:dovecot_t:s0
> tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> I think it's important to know that I'm trying to use dovecot with virtual
> users. If I try to configure it with PAM authentication using system users,
> it works well.
>
> Any suggestions on this?
Looks like /home/mail as mail store isn't included in the default
SELinux policy. Did you make sure that the correct SELinux type is set
on the directories?
https://www.unix.com/man-page/centos/8/dovecot_selinux/
If this isn't enough to get you going you might need to create your own
policy. The following steps should be all that it takes to create your
own policy.
Check that grep includes only lines that you want included in your new
policy:
grep dovecot /var/log/audit/audit.log | audit2allow -w
Create your new policy for Dovecot and install it:
grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
semodule -i dovecot_custom.pp
--
Alex JOST
More information about the dovecot
mailing list