Missing permissions

Aki Tuomi aki.tuomi at open-xchange.com
Sun Apr 12 22:52:37 EEST 2020


> On 11/04/2020 15:57 Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
> 
> 
> 
> 
> > On 11/04/2020 15:47 Alex JOST < jost+lists at dimejo.at> wrote:
> > 
> > 
> > 
> > 
> > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
> > > Hi,
> > > 
> > > 
> > > After configuring systemd unit with ReadWritePaths=/home/mail, I get the
> > > following error logs in audit:
> > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
> > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83
> > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8
> > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
> > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
> > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
> > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21
> > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe
> > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
> > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
> > > 
> > > 
> > > I have SELinux enabled, on CentOS.
> > > If I run:
> > > audit2why < /var/log/audit/audit.log
> > > 
> > > 
> > > I get:
> > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
> > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > > 
> > > 
> > > Was caused by:
> > > Missing type enforcement (TE) allow rule.
> > > 
> > > 
> > > I think it's important to know that I'm trying to use dovecot with virtual
> > > users. If I try to configure it with PAM authentication using system users,
> > > it works well.
> > > 
> > > 
> > > Any suggestions on this?
> > Looks like /home/mail as mail store isn't included in the default
> > SELinux policy. Did you make sure that the correct SELinux type is set
> > on the directories?
> > https://www.unix.com/man-page/centos/8/dovecot_selinux/
> > 
> > 
> > 
> > 
> > If this isn't enough to get you going you might need to create your own
> > policy. The following steps should be all that it takes to create your
> > own policy.
> > 
> > 
> > Check that grep includes only lines that you want included in your new
> > policy:
> > grep dovecot /var/log/audit/audit.log | audit2allow -w
> > 
> > 
> > Create your new policy for Dovecot and install it:
> > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
> > semodule -i dovecot_custom.pp
> > 
> > 
> > --
> > Alex JOST
> 
> 
> 
> 
> Or just label the directory with mail_home_rw_t
> 
> 
> ---
> Aki Tuomi
>

I took the time to document suitable approach to this problem. You can check it here https://github.com/dovecot/documentation/pull/63/files

Aki


More information about the dovecot mailing list