Missing permissions

Andrei Petru Mura mapandrei at gmail.com
Mon Apr 13 09:21:53 EEST 2020 

Hi Aki,

You did a great job. God bless you! :)
I think it will work now. I'll come with feedback if that's the case after
applying this on my server. I just want to mention one little thing bellow
(which possibly has some importance).
In my system, instead of /home/mail/domain/test/Maildir, I have
*/some_other_custom_dir/mail/my_domain_name/test/Maildir/*. From
*dovecot_selinux*'s man page I can see that *mail_home_rw_t *directories
are:
            /root/Maildir(/.*)?
            /root/.esmtp_queue(/.*)?
            /home/[^/]+/.maildir(/.*)?
            /home/[^/]+/Maildir(/.*)?
            /home/[^/]+/.esmtp_queue(/.*)?
which anyway, seems to me, doesn't match the initial directory path which I
provided (it's the first time when I knowledgeably interact with SELinux).
I think this shouldn't impact the documented issue, but if you think it
does, I wanted to inform you.

Thanks and have a nice day,
Mura Andrei

On Sun, Apr 12, 2020 at 10:52 PM Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:

>
> > On 11/04/2020 15:57 Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
> >
> >
> >
> >
> > > On 11/04/2020 15:47 Alex JOST < jost+lists at dimejo.at> wrote:
> > >
> > >
> > >
> > >
> > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
> > > > Hi,
> > > >
> > > >
> > > > After configuring systemd unit with ReadWritePaths=/home/mail, I get
> the
> > > > following error logs in audit:
> > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
> > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83
> > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff
> a3=fffffffffffffcd8
> > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005
> euid=1005
> > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > > type=PROCTITLE msg=audit(1586604621.637:6736):
> proctitle="dovecot/imap"
> > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
> > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21
> > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe
> > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005
> euid=1005
> > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > > type=PROCTITLE msg=audit(1586604621.638:6737):
> proctitle="dovecot/imap"
> > > >
> > > >
> > > > I have SELinux enabled, on CentOS.
> > > > If I run:
> > > > audit2why < /var/log/audit/audit.log
> > > >
> > > >
> > > > I get:
> > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
> > > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > >
> > > >
> > > > Was caused by:
> > > > Missing type enforcement (TE) allow rule.
> > > >
> > > >
> > > > I think it's important to know that I'm trying to use dovecot with
> virtual
> > > > users. If I try to configure it with PAM authentication using system
> users,
> > > > it works well.
> > > >
> > > >
> > > > Any suggestions on this?
> > > Looks like /home/mail as mail store isn't included in the default
> > > SELinux policy. Did you make sure that the correct SELinux type is set
> > > on the directories?
> > > https://www.unix.com/man-page/centos/8/dovecot_selinux/
> > >
> > >
> > >
> > >
> > > If this isn't enough to get you going you might need to create your own
> > > policy. The following steps should be all that it takes to create your
> > > own policy.
> > >
> > >
> > > Check that grep includes only lines that you want included in your new
> > > policy:
> > > grep dovecot /var/log/audit/audit.log | audit2allow -w
> > >
> > >
> > > Create your new policy for Dovecot and install it:
> > > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
> > > semodule -i dovecot_custom.pp
> > >
> > >
> > > --
> > > Alex JOST
> >
> >
> >
> >
> > Or just label the directory with mail_home_rw_t
> >
> >
> > ---
> > Aki Tuomi
> >
>
> I took the time to document suitable approach to this problem. You can
> check it here https://github.com/dovecot/documentation/pull/63/files
>
> Aki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200413/fcd778ae/attachment.html>

More information about the dovecot mailing list