<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 11/04/2020 15:47 Alex JOST <
<a
href="mailto:jost+lists@dimejo.at">jost+lists@dimejo.at</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
</div>
<blockquote type="cite">
<div>
Hi,
</div>
<div>
<br>
</div>
<div>
After configuring systemd unit with ReadWritePaths=/home/mail, I get the
</div>
<div>
following error logs in audit:
</div>
<div>
type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
</div>
<div>
pid=12750 comm="imap" name="Maildir"
dev="dm-3" ino=438370738
</div>
<div>
scontext=system_u:system_r:dovecot_t:s0
</div>
<div>
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
</div>
<div>
type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83
</div>
<div>
success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8
</div>
<div>
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
</div>
<div>
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
</div>
<div>
ses=4294967295 comm="imap"
exe="/usr/libexec/dovecot/imap"
</div>
<div>
subj=system_u:system_r:dovecot_t:s0 key=(null)
</div>
<div>
type=PROCTITLE msg=audit(1586604621.637:6736):
proctitle="dovecot/imap"
</div>
<div>
type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
</div>
<div>
pid=12750 comm="imap" name="Maildir"
dev="dm-3" ino=438370738
</div>
<div>
scontext=system_u:system_r:dovecot_t:s0
</div>
<div>
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
</div>
<div>
type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21
</div>
<div>
success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe
</div>
<div>
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
</div>
<div>
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
</div>
<div>
ses=4294967295 comm="imap"
exe="/usr/libexec/dovecot/imap"
</div>
<div>
subj=system_u:system_r:dovecot_t:s0 key=(null)
</div>
<div>
type=PROCTITLE msg=audit(1586604621.638:6737):
proctitle="dovecot/imap"
</div>
<div>
<br>
</div>
<div>
I have SELinux enabled, on CentOS.
</div>
<div>
If I run:
</div>
<div>
audit2why < /var/log/audit/audit.log
</div>
<div>
<br>
</div>
<div>
I get:
</div>
<div>
type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
</div>
<div>
pid=9930 comm="imap" name="Maildir"
dev="dm-3" ino=438370738
</div>
<div>
scontext=system_u:system_r:dovecot_t:s0
</div>
<div>
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
</div>
<div>
<br>
</div>
<div>
Was caused by:
</div>
<div>
Missing type enforcement (TE) allow rule.
</div>
<div>
<br>
</div>
<div>
I think it's important to know that I'm trying to use dovecot with
virtual
</div>
<div>
users. If I try to configure it with PAM authentication using system users,
</div>
<div>
it works well.
</div>
<div>
<br>
</div>
<div>
Any suggestions on this?
</div>
</blockquote>
<div>
Looks like /home/mail as mail store isn't included in the default
</div>
<div>
SELinux policy. Did you make sure that the correct SELinux type is set
</div>
<div>
on the directories?
</div>
<div>
<a
href="https://www.unix.com/man-page/centos/8/dovecot_selinux/"
rel="noopener"
target="_blank">https://www.unix.com/man-page/centos/8/dovecot_selinux/</a>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
If this isn't enough to get you going you might need to create your own
</div>
<div>
policy. The following steps should be all that it takes to create your
</div>
<div>
own policy.
</div>
<div>
<br>
</div>
<div>
Check that grep includes only lines that you want included in your new
</div>
<div>
policy:
</div>
<div>
grep dovecot /var/log/audit/audit.log | audit2allow -w
</div>
<div>
<br>
</div>
<div>
Create your new policy for Dovecot and install it:
</div>
<div>
grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
</div>
<div>
semodule -i dovecot_custom.pp
</div>
<div>
<br>
</div>
<div>
--
</div>
<div>
Alex JOST
</div>
</blockquote>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
Or just label the directory with mail_home_rw_t
</div>
<div>
<br>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
> On 11/04/2020 15:57 Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > > > > > On 11/04/2020 15:47 Alex JOST < jost+lists at dimejo.at> wrote: > > > > > > > > > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: > > > Hi, > > > > > > > > > After configuring systemd unit with ReadWritePaths=/home/mail, I get the > > > following error logs in audit: > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > scontext=system_u:system_r:dovecot_t:s0 > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83 > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8 > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > scontext=system_u:system_r:dovecot_t:s0 > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21 > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap" > > > > > > > > > I have SELinux enabled, on CentOS. > > > If I run: > > > audit2why < /var/log/audit/audit.log > > > > > > > > > I get: > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for > > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > scontext=system_u:system_r:dovecot_t:s0 > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 > > > > > > > > > Was caused by: > > > Missing type enforcement (TE) allow rule. > > > > > > > > > I think it's important to know that I'm trying to use dovecot with virtual > > > users. If I try to configure it with PAM authentication using system users, > > > it works well. > > > > > > > > > Any suggestions on this? > > Looks like /home/mail as mail store isn't included in the default > > SELinux policy. Did you make sure that the correct SELinux type is set > > on the directories? > > https://www.unix.com/man-page/centos/8/dovecot_selinux/ > > > > > > > > > > If this isn't enough to get you going you might need to create your own > > policy. The following steps should be all that it takes to create your > > own policy. > > > > > > Check that grep includes only lines that you want included in your new > > policy: > > grep dovecot /var/log/audit/audit.log | audit2allow -w > > > > > > Create your new policy for Dovecot and install it: > > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom > > semodule -i dovecot_custom.pp > > > > > > -- > > Alex JOST > > > > > Or just label the directory with mail_home_rw_t > > > --- > Aki Tuomi >I took the time to document suitable approach to this problem. You can check it here https://github.com/dovecot/documentation/pull/63/files Aki
Hi Aki,
You did a great job. God bless you! :)
I think it will work now. I'll come with feedback if that's the case
after
applying this on my server. I just want to mention one little thing bellow
(which possibly has some importance).
In my system, instead of /home/mail/domain/test/Maildir, I have
*/some_other_custom_dir/mail/my_domain_name/test/Maildir/*. From
*dovecot_selinux*'s man page I can see that *mail_home_rw_t *directories
are:
/root/Maildir(/.*)?
/root/.esmtp_queue(/.*)?
/home/[^/]+/.maildir(/.*)?
/home/[^/]+/Maildir(/.*)?
/home/[^/]+/.esmtp_queue(/.*)?
which anyway, seems to me, doesn't match the initial directory path which I
provided (it's the first time when I knowledgeably interact with SELinux).
I think this shouldn't impact the documented issue, but if you think it
does, I wanted to inform you.
Thanks and have a nice day,
Mura Andrei
On Sun, Apr 12, 2020 at 10:52 PM Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:
>
> > On 11/04/2020 15:57 Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:
> >
> >
> >
> >
> > > On 11/04/2020 15:47 Alex JOST < jost+lists at dimejo.at>
wrote:
> > >
> > >
> > >
> > >
> > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
> > > > Hi,
> > > >
> > > >
> > > > After configuring systemd unit with
ReadWritePaths=/home/mail, I get
> the
> > > > following error logs in audit:
> > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write
} for
> > > > pid=12750 comm="imap" name="Maildir"
dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e
syscall=83
> > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff
> a3=fffffffffffffcd8
> > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005
gid=1005
> euid=1005
> > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005
tty=(none)
> > > > ses=4294967295 comm="imap"
exe="/usr/libexec/dovecot/imap"
> > > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > > type=PROCTITLE msg=audit(1586604621.637:6736):
> proctitle="dovecot/imap"
> > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write
} for
> > > > pid=12750 comm="imap" name="Maildir"
dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e
syscall=21
> > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388
a3=fffffffe
> > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005
gid=1005
> euid=1005
> > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005
tty=(none)
> > > > ses=4294967295 comm="imap"
exe="/usr/libexec/dovecot/imap"
> > > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > > type=PROCTITLE msg=audit(1586604621.638:6737):
> proctitle="dovecot/imap"
> > > >
> > > >
> > > > I have SELinux enabled, on CentOS.
> > > > If I run:
> > > > audit2why < /var/log/audit/audit.log
> > > >
> > > >
> > > > I get:
> > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write
} for
> > > > pid=9930 comm="imap" name="Maildir"
dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > >
> > > >
> > > > Was caused by:
> > > > Missing type enforcement (TE) allow rule.
> > > >
> > > >
> > > > I think it's important to know that I'm trying to
use dovecot with
> virtual
> > > > users. If I try to configure it with PAM authentication
using system
> users,
> > > > it works well.
> > > >
> > > >
> > > > Any suggestions on this?
> > > Looks like /home/mail as mail store isn't included in the
default
> > > SELinux policy. Did you make sure that the correct SELinux type
is set
> > > on the directories?
> > > https://www.unix.com/man-page/centos/8/dovecot_selinux/
> > >
> > >
> > >
> > >
> > > If this isn't enough to get you going you might need to
create your own
> > > policy. The following steps should be all that it takes to create
your
> > > own policy.
> > >
> > >
> > > Check that grep includes only lines that you want included in
your new
> > > policy:
> > > grep dovecot /var/log/audit/audit.log | audit2allow -w
> > >
> > >
> > > Create your new policy for Dovecot and install it:
> > > grep dovecot /var/log/audit/audit.log | audit2allow -M
dovecot_custom
> > > semodule -i dovecot_custom.pp
> > >
> > >
> > > --
> > > Alex JOST
> >
> >
> >
> >
> > Or just label the directory with mail_home_rw_t
> >
> >
> > ---
> > Aki Tuomi
> >
>
> I took the time to document suitable approach to this problem. You can
> check it here https://github.com/dovecot/documentation/pull/63/files
>
> Aki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200413/fcd778ae/attachment.html>