[Dovecot] Dovecot + SELinux permission problems - Virtual user permissions?

Johnny yggdrasil at gmx.co.uk
Tue Aug 20 02:31:29 EEST 2013 

Sorry about the delays on following up on this, I am really struggling
to get somewhere, but have made some minor progress, see below. 

I am now starting to suspect that it may be a problem that I have a
virtual user in dovecot trying to access a maildir owned by the system
user. Although the maildir has full permissions (777), could it be that
SELinux is blocking the virtual user access to the file through dovecot
because it is owned by the system user?

Thomas Harold <thomas-lists at nybeta.com> writes:

> On 6/24/2013 9:58 AM, Johnny wrote:
>> Yes, /var/log/audit/ with audit.log. There are some archived logs as
>> well, but no recent messages regarding dovecot perms.
>
> Typically you could use "sealert -a /var/log/audit/audit.log
> /var/log/audit/audit.log.1" to get a feel for how many SELinux
> exceptions are happening.
>

I found out that auditd had the wrong permissions and therefore
didn't start. Setting the permissions of /var/log/audit/audit.log to
0600 enabled starting auditd. Unfortunately, audit.log doesn't log any
errors with SELinux in Permissive mode (nor for Enforcing). 

> Also, when you say that the restorecon -R did not fix the issue, did
> you check the output of "ls -Z" after running it?
>

I also found out that semanage didn't work initially, as there was a symbolic
link in the path. Referencing the location directly, the relabelling
worked, so now Maildir and all below is type mail_spool_t.

,---- ls -Z /home/user/data1/Maildir
| drwx------. user user system_u:object_r:mail_spool_t:s0 juser     |
| drwx------. user user system_u:object_r:mail_spool_t:s0 yggdrasil |
`----

> However, looking at your original message, I'm wondering why the
> forward slashes are doubled up.  For instance:
> "/home/user/data1/Maildir//"
>

Good spot! I have defined different virtual users for in a 'users' file,
and there was a trailing slash in the maildir location as well as a
leading slash in mail folder path. I have now removed the trailing slash
so there is no double slashes in the path anymore.

The problem however still remains; with SELinux in Permissive, there are no
issues in logging into the dovecot server. When I set it to Enforcing,
the telnet session is closed immediately when trying to login with the
message

: telnet localhost 143
: a login [user] [password]
,----
| * BYE Internal error occurred. Refer to server log for more information.
| Connection closed by foreign host.
`----

>From the dovecot log (below) it looks like a write permission error.

,---- cat /var/log/dovecot
| Aug 19 23:33:29 imap-login: Info: Login: user=<juser>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=5217, secured, session=<2AKSh1Tk1QB/AAAB>
| Aug 19 23:34:11 imap(juser): Info: Connection closed in=0 out=319
| Aug 19 23:34:18 imap-login: Info: Login: user=<juser>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=5224, secured, session=<34J+ilTk1gB/AAAB>
| Aug 19 23:34:18 imap(juser): Error: chdir(/home/user/data1/Maildir//) failed: Permission denied (euid=1000(user) egid=1000(user) missing +w perm: /home/user/data1/Maildir// stat(/home/user/data1/Maildir//) failed: Permission denied)
| Aug 19 23:34:18 imap(juser): Error: chdir(/home/user/data1/Maildir/) failed: Permission denied
| Aug 19 23:34:18 imap(juser): Error: user juser: Initialization failed: Namespace '': stat(/home/user/data1/Maildir//juser) failed: Permission denied (euid=1000(user) egid=1000(user) missing +w perm: /home/user/data1/Maildir//juser stat(/home/user/data1/Maildir//juser) failed: Permission denied)
`----

,---- ls -Z /home/user/data1/Maildir
| drwx------. user user system_u:object_r:mail_spool_t:s0 juser     |
| drwx------. user user system_u:object_r:mail_spool_t:s0 yggdrasil |
`----

Changing permissions to 777 doesn't change matters at all.

Looking at the permission error in /var/log/dovecot again leads me to
think that /maybe/ the issue is that I have a virtual dovecot user
'juser' which tries to read the Maildir owned by 'user'. I.e. these
lines:
Permission deinied:
| Aug 19 23:34:18 imap(juser): Error: user juser: Initialization failed: Namespace '': stat(/home/user/data1/Maildir/juser) failed: Permission denied (euid=1000(user) egid=1000(user) missing +w perm: /home/user/data1/Maildir/juser stat(/home/user/data1/Maildir/juser) failed: Permission denied)
File ownership:
| drwxrwxrwx. user user system_u:object_r:mail_spool_t:s0 juser         |

-- 
Johnny

More information about the dovecot mailing list