Re: [Dovecot] Dovecot + SELinux permission problems - Virtual user permissions?
Sorry about the delays on following up on this, I am really struggling to get somewhere, but have made some minor progress, see below. I am now starting to suspect that it may be a problem that I have a virtual user in dovecot trying to access a maildir owned by the system user. Although the maildir has full permissions (777), could it be that SELinux is blocking the virtual user access to the file through dovecot because it is owned by the system user? Thomas Harold thomas-li...@nybeta.com writes: On 6/24/2013 9:58 AM, Johnny wrote: Yes, /var/log/audit/ with audit.log. There are some archived logs as well, but no recent messages regarding dovecot perms. Typically you could use sealert -a /var/log/audit/audit.log /var/log/audit/audit.log.1 to get a feel for how many SELinux exceptions are happening. I found out that auditd had the wrong permissions and therefore didn't start. Setting the permissions of /var/log/audit/audit.log to 0600 enabled starting auditd. Unfortunately, audit.log doesn't log any errors with SELinux in Permissive mode (nor for Enforcing). Also, when you say that the restorecon -R did not fix the issue, did you check the output of ls -Z after running it? I also found out that semanage didn't work initially, as there was a symbolic link in the path. Referencing the location directly, the relabelling worked, so now Maildir and all below is type mail_spool_t. , ls -Z /home/user/data1/Maildir | drwx--. user user system_u:object_r:mail_spool_t:s0 juser | | drwx--. user user system_u:object_r:mail_spool_t:s0 yggdrasil | ` However, looking at your original message, I'm wondering why the forward slashes are doubled up. For instance: /home/user/data1/Maildir// Good spot! I have defined different virtual users for in a 'users' file, and there was a trailing slash in the maildir location as well as a leading slash in mail folder path. I have now removed the trailing slash so there is no double slashes in the path anymore. The problem however still remains; with SELinux in Permissive, there are no issues in logging into the dovecot server. When I set it to Enforcing, the telnet session is closed immediately when trying to login with the message : telnet localhost 143 : a login [user] [password] , | * BYE Internal error occurred. Refer to server log for more information. | Connection closed by foreign host. ` From the dovecot log (below) it looks like a write permission error. , cat /var/log/dovecot | Aug 19 23:33:29 imap-login: Info: Login: user=juser, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=5217, secured, session=2AKSh1Tk1QB/AAAB | Aug 19 23:34:11 imap(juser): Info: Connection closed in=0 out=319 | Aug 19 23:34:18 imap-login: Info: Login: user=juser, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=5224, secured, session=34J+ilTk1gB/AAAB | Aug 19 23:34:18 imap(juser): Error: chdir(/home/user/data1/Maildir//) failed: Permission denied (euid=1000(user) egid=1000(user) missing +w perm: /home/user/data1/Maildir// stat(/home/user/data1/Maildir//) failed: Permission denied) | Aug 19 23:34:18 imap(juser): Error: chdir(/home/user/data1/Maildir/) failed: Permission denied | Aug 19 23:34:18 imap(juser): Error: user juser: Initialization failed: Namespace '': stat(/home/user/data1/Maildir//juser) failed: Permission denied (euid=1000(user) egid=1000(user) missing +w perm: /home/user/data1/Maildir//juser stat(/home/user/data1/Maildir//juser) failed: Permission denied) ` , ls -Z /home/user/data1/Maildir | drwx--. user user system_u:object_r:mail_spool_t:s0 juser | | drwx--. user user system_u:object_r:mail_spool_t:s0 yggdrasil | ` Changing permissions to 777 doesn't change matters at all. Looking at the permission error in /var/log/dovecot again leads me to think that /maybe/ the issue is that I have a virtual dovecot user 'juser' which tries to read the Maildir owned by 'user'. I.e. these lines: Permission deinied: | Aug 19 23:34:18 imap(juser): Error: user juser: Initialization failed: Namespace '': stat(/home/user/data1/Maildir/juser) failed: Permission denied (euid=1000(user) egid=1000(user) missing +w perm: /home/user/data1/Maildir/juser stat(/home/user/data1/Maildir/juser) failed: Permission denied) File ownership: | drwxrwxrwx. user user system_u:object_r:mail_spool_t:s0 juser | -- Johnny
Re: [Dovecot] Dovecot + SELinux permission problems
On 6/24/2013 9:58 AM, Johnny wrote: Yes, /var/log/audit/ with audit.log. There are some archived logs as well, but no recent messages regarding dovecot perms. Typically you could use sealert -a /var/log/audit/audit.log /var/log/audit/audit.log.1 to get a feel for how many SELinux exceptions are happening. Also, when you say that the restorecon -R did not fix the issue, did you check the output of ls -Z after running it? However, looking at your original message, I'm wondering why the forward slashes are doubled up. For instance: /home/user/data1/Maildir//
[Dovecot] Dovecot + SELinux permission problems
Hi, I have set-up dovecot on a F17 box and am encountering weirdnesses with SELinux (who isn't??). Again, I am trying to refrain from disabling SWLinux all together, however tempting, but am stuck in troubleshooting and hope for some ideas... With SELinux set to permissive, I can connect to dovecot and log in to access my mail as expected. With SELinux enforcing, I can connect to dovecot, but cannot login to access mail. The log states , log_path = /var/log/dovecot (set in 10-logging.conf) | Jun 23 15:43:58 imap-login: Info: Login: user=johndoe, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=15189, secured, session=xJl+U9PfvgB/AAAB | Jun 23 15:43:58 imap(johndoe): Error: chdir(/home/user/data1/Maildir//) failed: Permission denied (euid=1000(user) egid=1000(user) missing +w perm: /home/user/data1/Maildir// stat(/home/user/data1/Maildir//) failed: Permission denied) | Jun 23 15:43:58 imap(johndoe): Error: chdir(/home/user/data1/Maildir/) failed: Permission denied | Jun 23 15:43:58 imap(johndoe): Error: user johndoe: Initialization failed: Namespace '': stat(/home/user/data1/Maildir//johndoe) failed: Permission denied (euid=1000(user) egid=1000(user) missing +w perm: /home/user/data1/Maildir//johndoe stat(/home/user/data1/Maildir//johndoe) failed: Permission denied) | Jun 23 15:43:58 imap(johndoe): Error: Invalid user settings. Refer to server log for more information. ` Only thing I can grasp is *write permission* error. ls -l on the Maildirs shows this should not be the case for uid 1000. , ls -l | drwxrwxr-x. 11 user user 4096 Jul 8 2012 Maildir | \ drwx--. 19 user user 4096 Feb 5 09:04 johndoe ` I have no idea what the server log is referring to, in the debug log I get , debug_log_path = /var/log/dovecot_debug (set in 10-logging.conf) | Jun 23 15:43:58 imap: Debug: Added userdb setting: mail=maildir:~/johndoe | Jun 23 15:43:58 imap(johndoe): Debug: Effective uid=1000, gid=1000, home=/home/user/data1/Maildir/ | Jun 23 15:43:58 imap(johndoe): Debug: Namespace inbox: type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/johndoe | Jun 23 15:43:58 imap(johndoe): Debug: maildir++: root=/home/user/data1/Maildir//johndoe, index=, control=, inbox=/home/user/data1/Maildir//johndoe, alt= ` I had thought SELinux would log something, but /var/log/audit/audit.log is blank... Where to go from here?? Any ideas appreciated... -- Johnny
Re: [Dovecot] Dovecot + SELinux permission problems
On Sun, Jun 23, 2013 at 04:21:17PM +0100, Johnny wrote: I had thought SELinux would log something, but /var/log/audit/audit.log is blank... Are you running auditd? I believe that if you're not running auditd, the denials should be logged to the kernel ring buffer. Does dmesg show any denials ? Likely dovecot doesn't have access user_home_dir_t/user_home_t. Is all users maildirs below /home/user/data1/Maildir/ ? If so, you can probably fix this by creating a labeling rule for this, and re-label everything below this directory: semanage fcontext -a -t mail_spool_t /home/user/data1/Maildir(/.*)? restorecon -R /home/user/data1/Maildir -jf
Re: [Dovecot] Dovecot + SELinux permission problems
Jan-Frode Myklebust janfr...@tanso.net writes: On Sun, Jun 23, 2013 at 04:21:17PM +0100, Johnny wrote: I had thought SELinux would log something, but /var/log/audit/audit.log is blank... Are you running auditd? I believe that if you're not running auditd, the denials should be logged to the kernel ring buffer. It seems auditd is not running and not happy to start; , systemctl status auditd.service | Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) | Active: failed (Result: exit-code) since Mon, 24 Jun 2013 04:28:28 +0100; 6s ago | Process: 5139 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) | Process: 5136 ExecStart=/sbin/auditd -n (code=exited, status=6) | CGroup: name=systemd:/system/auditd.service ` Does dmesg show any denials ? Nope, all it shows is turning on/off SELinux (I tried accessing the mail prior and post changing SElinux status) , | [ 767.835481] type=1404 audit(1372044152.923:10): enforcing=0 old_enforcing=1 auid=1000 ses=1 | [ 777.110187] type=1404 audit(1372044162.218:11): enforcing=1 old_enforcing=0 auid=1000 ses=1 ` Likely dovecot doesn't have access user_home_dir_t/user_home_t. Is all users maildirs below /home/user/data1/Maildir/ ? All users maildirs are under the same location, e.g. , ls -Z | drwx--. user user system_u:object_r:mnt_t:s0 mailaccountA | drwx--. user user system_u:object_r:mnt_t:s0 mailaccountB | drwx--. user user unconfined_u:object_r:mnt_t:s0 mailaccountC | drwx--. user user unconfined_u:object_r:mnt_t:s0 mailaccountD ` If so, you can probably fix this by creating a labeling rule for this, and re-label everything below this directory: semanage fcontext -a -t mail_spool_t /home/user/data1/Maildir(/.*)? restorecon -R /home/user/data1/Maildir No luck with using this. I will look into this more tomorrow and hopefully locate some logs. -- Johnny
