Re: doveadm: Error: open(/proc/self/io) failed

2019-07-30 Thread Sami Ketola via dovecot 



> On 30 Jul 2019, at 22.53, Tom Diehl via dovecot  wrote:
> 
> On Tue, 30 Jul 2019, Reio Remma via dovecot wrote:
> 
>> On 30.07.2019 20:07, Tom Diehl via dovecot wrote:
>>> 
>>> Does anyone have an Idea how to fix this?
>> 
>> Perhaps see if there are any denials in SELinux audit log:
> 
> Selinux is in permissive.
> 
> If I do:
> (vmail1 pts9) # ll /proc/self/io -r 1 root root 0 Jul 30 15:27 
> /proc/self/io
> (vmail1 pts9) #
> 
> It is obvious to me why I get permission denied. The problem is you
> cannot chmod on /proc. I suspect I have something mis-configured but
> the question is what?

service lmtp {
 executable = lmtp -L
 inet_listener lmtp {
   address = 127.0.0.1
   port = 24
 }
 process_min_avail = 5
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
 }
 user = vmail
}

please remove user = vmail from here or change it to root.

for security reasons lmtp service must be started as root since version 2.2.36. 
lmtp will drop root privileges after initialisation but it needs to open 
/self/proc/io as root before that.

Sami

Re: doveadm: Error: open(/proc/self/io) failed

2019-07-30 Thread Tom Diehl via dovecot 

On Tue, 30 Jul 2019, Reio Remma via dovecot wrote:


On 30.07.2019 20:07, Tom Diehl via dovecot wrote:


 Does anyone have an Idea how to fix this?


Perhaps see if there are any denials in SELinux audit log:


Selinux is in permissive.

If I do:
(vmail1 pts9) # ll /proc/self/io 
-r 1 root root 0 Jul 30 15:27 /proc/self/io

(vmail1 pts9) #

It is obvious to me why I get permission denied. The problem is you
cannot chmod on /proc. I suspect I have something mis-configured but
the question is what?

Regards,

--
Tom m...@tdiehl.org

Re: doveadm: Error: open(/proc/self/io) failed

2019-07-30 Thread Alexander Dalloz via dovecot 

Am 30.07.2019 um 20:12 schrieb Alexander Dalloz via dovecot:

aausearch -m avc -c dovecot | audit2why


sorry, "ausearch" is the proper command

Re: doveadm: Error: open(/proc/self/io) failed

2019-07-30 Thread Alexander Dalloz via dovecot 

Am 30.07.2019 um 19:33 schrieb Reio Remma via dovecot:

On 30.07.2019 20:07, Tom Diehl via dovecot wrote:


Does anyone have an Idea how to fix this?

Regards,



Perhaps see if there are any denials in SELinux audit log:

sudo grep denied /var/log/audit/audit.log | grep dovecot | audit2allow -a

Good luck,
Reio



The proper search for dovecot AVCs would be:

aausearch -m avc -c dovecot | audit2why

audit2allow is not that helpful in the first approach.

Alexander

Re: doveadm: Error: open(/proc/self/io) failed

2019-07-30 Thread Reio Remma via dovecot 

On 30.07.2019 20:07, Tom Diehl via dovecot wrote:


Does anyone have an Idea how to fix this?

Regards,



Perhaps see if there are any denials in SELinux audit log:

sudo grep denied /var/log/audit/audit.log | grep dovecot | audit2allow -a

Good luck,
Reio

Re: doveadm: Error: open(/proc/self/io) failed

2019-07-30 Thread Tom Diehl via dovecot 



Does anyone have an Idea how to fix this?

Regards,

--
Tom m...@tdiehl.org

On Mon, 22 Jul 2019, Tom Diehl via dovecot wrote:


Hi,

I am running dovecot-2.2.36-3.el7.x86_64 on a Centos 7 machine. I keep seeing
the following errors in the dovecot.log:
Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed: 
Permission denied


Dovecot -n is listed below:
#  2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
#  Pigeonhole version 0.4.24 (124e06aa)
#  OS: Linux 3.10.0-957.21.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 
#  (Core) Hostname: vmail2.kmg.mydomain.com

auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, 
subject=%{subject}, msgid=%m, size=%{size}, %$

dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf
  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
doveadm_password =  # hidden, use -P to show it
doveadm_port = 2525
first_valid_uid = 2000
last_valid_uid = 2000
mail_gid = 2000
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
mail_plugins = quota mailbox_alias acl mail_log notify stats replication
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags 
copy include variables body enotify environment mailbox date index ihave 
duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve

namespace {
  inbox = yes
  location =
  mailbox Archive {
auto = no
special_use = \Archive
  }
  mailbox Archives {
auto = no
special_use = \Archive
  }
  mailbox "Deleted Messages" {
auto = no
special_use = \Trash
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox "Junk E-mail" {
auto = no
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox "Sent Items" {
auto = no
special_use = \Sent
  }
  mailbox "Sent Messages" {
auto = no
special_use = \Sent
  }
  mailbox Spam {
auto = no
special_use = \Junk
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
namespace {
  list = children
  location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
passdb {
  args = /etc/dovecot/dovecot-master-users
  driver = passwd-file
  master = yes
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  fts_autoindex = yes
  fts_autoindex_max_recent_msgs = 50
  imapsieve_mailbox1_before =
  file:/usr/lib64/dovecot/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Spam
  imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Spam
  imapsieve_mailbox2_name = *
  mail_log_events = delete undelete expunge mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size from subject
  mail_replica = tcp:vmail1.kmg.mydomain.com
  mailbox_alias_new = Sent Messages
  mailbox_alias_new2 = Sent Items
  mailbox_alias_old = Sent
  mailbox_alias_old2 = Sent
  quota = dict:user::proxy::quotadict
  quota_grace = 10%%
  quota_warning = storage=100%% quota-warning 100 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  sieve = ~/sieve/dovecot.sieve
  sieve_before = /var/vmail/sieve/dovecot.sieve
  sieve_dir = ~/sieve
  sieve_global_dir = /var/vmail/sieve
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
  sieve_max_redirects = 30
  sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms
  sieve_vacation_send_from_recipient = yes
  stats_refresh = 30 secs
  stats_track_cmds = yes
}
protocols = pop3 imap sieve lmtp
service aggregator {
  fifo_listener replication-notify-fifo {
user = vmail
  }
  unix_listener replication-notify {
user = vmail
 }
}
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-master {
group = vmail
mode = 0666
user = vmail
  }
  unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
 }
}
service config {
  unix_listener config {
user = vmail
 }
}
service dict {
  unix_listener dict {
group = vmail
mode = 0660
user = vmail
 }
}
service doveadm {
  inet_listener {
port = 2525
  }
  user = vmail
}
service imap-login {
  process_limit = 500
  service_count = 1
}
service lmtp {
  executable = lmtp -L
  inet_listener lmtp {
address = 127.0.0.1
port = 24
  }
  proc