Hi Aki, You did a great job. God bless you! :) I think it will work now. I'll come with feedback if that's the case after applying this on my server. I just want to mention one little thing bellow (which possibly has some importance). In my system, instead of /home/mail/domain/test/Maildir, I have */some_other_custom_dir/mail/my_domain_name/test/Maildir/*. From *dovecot_selinux*'s man page I can see that *mail_home_rw_t *directories are: /root/Maildir(/.*)? /root/.esmtp_queue(/.*)? /home/[^/]+/.maildir(/.*)? /home/[^/]+/Maildir(/.*)? /home/[^/]+/.esmtp_queue(/.*)? which anyway, seems to me, doesn't match the initial directory path which I provided (it's the first time when I knowledgeably interact with SELinux). I think this shouldn't impact the documented issue, but if you think it does, I wanted to inform you.
Thanks and have a nice day, Mura Andrei On Sun, Apr 12, 2020 at 10:52 PM Aki Tuomi <aki.tu...@open-xchange.com> wrote: > > > On 11/04/2020 15:57 Aki Tuomi <aki.tu...@open-xchange.com> wrote: > > > > > > > > > > > On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote: > > > > > > > > > > > > > > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: > > > > Hi, > > > > > > > > > > > > After configuring systemd unit with ReadWritePaths=/home/mail, I get > the > > > > following error logs in audit: > > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for > > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83 > > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff > a3=fffffffffffffcd8 > > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 > euid=1005 > > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > > type=PROCTITLE msg=audit(1586604621.637:6736): > proctitle="dovecot/imap" > > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for > > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c000003e syscall=21 > > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffffffe > > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 > euid=1005 > > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > > type=PROCTITLE msg=audit(1586604621.638:6737): > proctitle="dovecot/imap" > > > > > > > > > > > > I have SELinux enabled, on CentOS. > > > > If I run: > > > > audit2why < /var/log/audit/audit.log > > > > > > > > > > > > I get: > > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for > > > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > > > > > > > > > Was caused by: > > > > Missing type enforcement (TE) allow rule. > > > > > > > > > > > > I think it's important to know that I'm trying to use dovecot with > virtual > > > > users. If I try to configure it with PAM authentication using system > users, > > > > it works well. > > > > > > > > > > > > Any suggestions on this? > > > Looks like /home/mail as mail store isn't included in the default > > > SELinux policy. Did you make sure that the correct SELinux type is set > > > on the directories? > > > https://www.unix.com/man-page/centos/8/dovecot_selinux/ > > > > > > > > > > > > > > > If this isn't enough to get you going you might need to create your own > > > policy. The following steps should be all that it takes to create your > > > own policy. > > > > > > > > > Check that grep includes only lines that you want included in your new > > > policy: > > > grep dovecot /var/log/audit/audit.log | audit2allow -w > > > > > > > > > Create your new policy for Dovecot and install it: > > > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom > > > semodule -i dovecot_custom.pp > > > > > > > > > -- > > > Alex JOST > > > > > > > > > > Or just label the directory with mail_home_rw_t > > > > > > --- > > Aki Tuomi > > > > I took the time to document suitable approach to this problem. You can > check it here https://github.com/dovecot/documentation/pull/63/files > > Aki >