Hi Stephan,> Normally, Dovecot permission errors are more helpful than that. So, > this > error message in itself is a bit of a bug:I'm glad to h've been able to help with this beta-test ;-)> About the cause of this error: keep in mind that the whole directory > path needs read/execute permission, not only the leaf directory.Have checked. They are...> You could try a command other than LISTSCRIPTS in your manual debugging > efforts. That should take a different code path that provides a more > detailed error.I tried: PUTSCRIPT "hutsefluts" {6+} keep; Gives the same result: Feb 10 15:43:26 p150 dovecot[2042]: managesieve(rogier): Error: sieve: file storage: save: open(/home/rogier/sieve/tmp/hutsefluts_1486737806.M728733P6414.p150.sieve) failed: Permission denied I have put a script named "std.sieve" in the sieve directory manually. Then the GETSCRIPT command gives some more information: Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Debug: sieve: file script: Opened script `std' from `/home/rogier/sieve/std.sieve' Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Error: sieve: file script: Failed to open sieve script: open(/home/rogier/sieve/std.sieve) failed: Permission denied (euid=1000(rogier) egid=100(users) UNIX perms appear ok (ACL/MAC wrong?)) So the UNIX permissions seem not to be the problem. The mentioning of ACL made me look into the audit.log. There I found this: type=AVC msg=audit(1486738207.203:354): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/managesieve" name="/home/rogier/sieve/std.sieve" pid=6414 comm="managesieve" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1486738207.203:354): arch=c000003e syscall=2 success=no exit=-13 a0=55e8920917d8 a1=0 a2=7fff73b41a14 a3=65766569732f7265 items=0 ppid=1861 pid=6414 auid=429 4967295 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="managesieve" exe="/usr/lib/dovecot/managesieve" key=(null) type=UNKNOWN[1327] msg=audit(1486738207.203:354): proctitle="dovecot/managesieve" Looks like AppArmor says NO... Does the apparmor profile for managesieve account for this or any other script store location? Or is the user expected to tweak apparmor profiles in such cases? Then I have to figure out how... Regards, Rogier
OK, I've figured it out: In the dovecot profile for apparmor the sieve directory is not confgured. I solved it this way: To configure only one directory in the apparmor profile, I placed the active-script link inside the .sieve directory. Keeping the scripts separate in a store subdirectory, like this: In /etc/dovecot/conf.d/90-sieve.conf : sieve = file:~/.sieve/store;active=~/.sieve/active.sieve Then dovecot is granted access by adding the .sieve directory in the apparmor profile. The dovecot file in the tunables directory seems to be a neat way to that: In /etc/apparmor.d/tunables/dovecot : @{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ /var/spool/mail/ @{HOME}/.sieve/ Ofcourse the .sieve directory is not really a MAILSTORE. But this way, the configuration stays close to the defaults. I didn't find something like DOVECOT_SIEVESTORE, which would be more appropriate. After restart of apparmor and dovecot, it works! @Stephan: thanks for the advice - it did help to pinpoint the problem! Regards, Rogier
Op 2/10/2017 om 5:05 PM schreef dovelist:> Hi Stephan, > >> Normally, Dovecot permission errors are more helpful than that. So, this >> error message in itself is a bit of a bug: > > I'm glad to h've been able to help with this beta-test ;-) > > >> About the cause of this error: keep in mind that the whole directory >> path needs read/execute permission, not only the leaf directory. > > Have checked. They are... > > >> You could try a command other than LISTSCRIPTS in your manual debugging >> efforts. That should take a different code path that provides a more >> detailed error. > > I tried: > > PUTSCRIPT "hutsefluts" {6+} > keep; > > Gives the same result: > > Feb 10 15:43:26 p150 dovecot[2042]: managesieve(rogier): Error: sieve: > file storage: save: > open(/home/rogier/sieve/tmp/hutsefluts_1486737806.M728733P6414.p150.sieve) > failed: Permission deniedAh, so there's more. Fixed that too: https://github.com/dovecot/pigeonhole/commit/34d44f7ad9e872dec6ffa62de2642cb91ad5f6fc Regards, Stephan.
Op 2/11/2017 om 3:24 PM schreef dovelist:> OK, I've figured it out: > > In the dovecot profile for apparmor the sieve directory is not > confgured. I solved it this way: > > To configure only one directory in the apparmor profile, I placed the > active-script link inside the .sieve directory. Keeping the scripts > separate in a store subdirectory, like this: > In /etc/dovecot/conf.d/90-sieve.conf : > > sieve = file:~/.sieve/store;active=~/.sieve/active.sieve > > Then dovecot is granted access by adding the .sieve directory in the > apparmor profile. The dovecot file in the tunables directory seems to > be a neat way to that: > In /etc/apparmor.d/tunables/dovecot : > > @{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ /var/spool/mail/ @{HOME}/.sieve/ > > Ofcourse the .sieve directory is not really a MAILSTORE. But this way, > the configuration stays close to the defaults. I didn't find something > like DOVECOT_SIEVESTORE, which would be more appropriate. > > After restart of apparmor and dovecot, it works! > > @Stephan: thanks for the advice - it did help to pinpoint the problem!I have no experience with AppArmor. I assume these profile configuration files are created by the packagers for your distribution. You could talk to them to get this fixed in general. Regards, Stephan.