<div dir="ltr">Hi,<div><br></div><div>After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit:</div><div>type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0<br>type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null)<br>type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"<br>type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0<br>type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21 success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null)<br>type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"<br></div><div><br></div><div>I have SELinux enabled, on CentOS.</div><div>If I run:</div><div>audit2why < /var/log/audit/audit.log<br></div><div><br></div><div>I get:</div><div>type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0<br><br> Was caused by:<br> Missing type enforcement (TE) allow rule.<br><br></div><div>I think it's important to know that I'm trying to use dovecot with virtual users. If I try to configure it with PAM authentication using system users, it works well.</div><div><br></div><div>Any suggestions on this?</div><div><br></div><div>Mura Andrei</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 11, 2020 at 10:02 AM Andrei Petru Mura <<a href="mailto:mapandrei@gmail.com">mapandrei@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I think I found here what I'm interested in: <a href="https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/" target="_blank">https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/</a>.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura <<a href="mailto:mapandrei@gmail.com" target="_blank">mapandrei@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Aki,<div><br></div><div>Thanks. I was especially interested in documentation related to dovecot and it's users permissions, the way in which dovecot uses users. Till now I found only spread information on different articles from dovecot's website.</div><div><br></div><div>Thanks,</div><div>Mura Andrei</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi <<a href="mailto:aki.tuomi@open-xchange.com" target="_blank">aki.tuomi@open-xchange.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
<a href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=" rel="noreferrer" target="_blank">https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=</a><br>
<br>
although we probably need to add some words into <a href="http://doc.dovecot.org" rel="noreferrer" target="_blank">doc.dovecot.org</a> under known issues.<br>
<br>
Aki<br>
<br>
> On 11/04/2020 09:24 Andrei Petru Mura <<a href="mailto:mapandrei@gmail.com" target="_blank">mapandrei@gmail.com</a>> wrote:<br>
> <br>
> <br>
> Hi Aki,<br>
> <br>
> Any documentation on this topic?<br>
> <br>
> Mura Andrei<br>
> <br>
> <br>
> On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi <<a href="mailto:aki.tuomi@open-xchange.com" target="_blank">aki.tuomi@open-xchange.com</a>> wrote:<br>
> > This is probably caused by systemd (or selinux or both).<br>
> > <br>
> > With systemd, you need to add<br>
> > <br>
> > ReadWritePaths=/home/mail<br>
> > <br>
> > to the systemd unit.<br>
> > <br>
> > Then you can check /var/log/audit/audit.log for any selinux specific problems. If you are using Centos/Redhat.<br>
> > <br>
> > Aki<br>
> > <br>
> > > On 06/04/2020 17:01 Andrei Petru Mura <<a href="mailto:mapandrei@gmail.com" target="_blank">mapandrei@gmail.com</a>> wrote:<br>
> > > <br>
> > > <br>
> > > Hi,<br>
> > > <br>
> > > Dovecot version 2.2.36<br>
> > > In log files I get this error:<br>
> > > dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir) failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))<br>
> > > <br>
> > > My authentication configuration is this:<br>
> > > passdb {<br>
> > > driver = passwd-file<br>
> > > args = username_format=%n /etc/dovecot/users<br>
> > > }<br>
> > > <br>
> > > userdb {<br>
> > > driver = static<br>
> > > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n /etc/dovecot/users<br>
> > > <br>
> > > }<br>
> > > <br>
> > > /home/mail/domain/test directory is owned by vmail user.<br>
> > > How to fix this?<br>
> > > <br>
> > > Mura Andrei<br>
> ><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>