Re: Missing permissions
Hi Aki,
You did a great job. God bless you! :)
I think it will work now. I'll come with feedback if that's the case after
applying this on my server. I just want to mention one little thing bellow
(which possibly has some importance).
In my system, instead of /home/mail/domain/test/Maildir, I have
*/some_other_custom_dir/mail/my_domain_name/test/Maildir/*. From
*dovecot_selinux*'s man page I can see that *mail_home_rw_t *directories
are:
/root/Maildir(/.*)?
/root/.esmtp_queue(/.*)?
/home/[^/]+/.maildir(/.*)?
/home/[^/]+/Maildir(/.*)?
/home/[^/]+/.esmtp_queue(/.*)?
which anyway, seems to me, doesn't match the initial directory path which I
provided (it's the first time when I knowledgeably interact with SELinux).
I think this shouldn't impact the documented issue, but if you think it
does, I wanted to inform you.
Thanks and have a nice day,
Mura Andrei
On Sun, Apr 12, 2020 at 10:52 PM Aki Tuomi
wrote:
>
> > On 11/04/2020 15:57 Aki Tuomi wrote:
> >
> >
> >
> >
> > > On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote:
> > >
> > >
> > >
> > >
> > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
> > > > Hi,
> > > >
> > > >
> > > > After configuring systemd unit with ReadWritePaths=/home/mail, I get
> the
> > > > following error logs in audit:
> > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
> > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
> > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=
> a3=fcd8
> > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005
> euid=1005
> > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > > type=PROCTITLE msg=audit(1586604621.637:6736):
> proctitle="dovecot/imap"
> > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
> > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
> > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
> > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005
> euid=1005
> > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > > type=PROCTITLE msg=audit(1586604621.638:6737):
> proctitle="dovecot/imap"
> > > >
> > > >
> > > > I have SELinux enabled, on CentOS.
> > > > If I run:
> > > > audit2why < /var/log/audit/audit.log
> > > >
> > > >
> > > > I get:
> > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
> > > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > >
> > > >
> > > > Was caused by:
> > > > Missing type enforcement (TE) allow rule.
> > > >
> > > >
> > > > I think it's important to know that I'm trying to use dovecot with
> virtual
> > > > users. If I try to configure it with PAM authentication using system
> users,
> > > > it works well.
> > > >
> > > >
> > > > Any suggestions on this?
> > > Looks like /home/mail as mail store isn't included in the default
> > > SELinux policy. Did you make sure that the correct SELinux type is set
> > > on the directories?
> > > https://www.unix.com/man-page/centos/8/dovecot_selinux/
> > >
> > >
> > >
> > >
> > > If this isn't enough to get you going you might need to create your own
> > > policy. The following steps should be all that it takes to create your
> > > own policy.
> > >
> > >
> > > Check that grep includes only lines that you want included in your new
> > > policy:
> > > grep dovecot /var/log/audit/audit.log | audit2allow -w
> > >
> > >
> > > Create your new policy for Dovecot and install it:
> > > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
> > > semodule -i dovecot_custom.pp
> > >
> > >
> > > --
> > > Alex JOST
> >
> >
> >
> >
> > Or just label the directory with mail_home_rw_t
> >
> >
> > ---
> > Aki Tuomi
> >
>
> I took the time to document suitable approach to this problem. You can
> check it here https://github.com/dovecot/documentation/pull/63/files
>
> Aki
>
Re: Missing permissions
> On 11/04/2020 15:57 Aki Tuomi wrote:
>
>
>
>
> > On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote:
> >
> >
> >
> >
> > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
> > > Hi,
> > >
> > >
> > > After configuring systemd unit with ReadWritePaths=/home/mail, I get the
> > > following error logs in audit:
> > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
> > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
> > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8
> > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
> > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
> > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
> > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
> > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
> > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
> > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
> > >
> > >
> > > I have SELinux enabled, on CentOS.
> > > If I run:
> > > audit2why < /var/log/audit/audit.log
> > >
> > >
> > > I get:
> > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
> > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > scontext=system_u:system_r:dovecot_t:s0
> > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
> > >
> > >
> > > Was caused by:
> > > Missing type enforcement (TE) allow rule.
> > >
> > >
> > > I think it's important to know that I'm trying to use dovecot with virtual
> > > users. If I try to configure it with PAM authentication using system
> > > users,
> > > it works well.
> > >
> > >
> > > Any suggestions on this?
> > Looks like /home/mail as mail store isn't included in the default
> > SELinux policy. Did you make sure that the correct SELinux type is set
> > on the directories?
> > https://www.unix.com/man-page/centos/8/dovecot_selinux/
> >
> >
> >
> >
> > If this isn't enough to get you going you might need to create your own
> > policy. The following steps should be all that it takes to create your
> > own policy.
> >
> >
> > Check that grep includes only lines that you want included in your new
> > policy:
> > grep dovecot /var/log/audit/audit.log | audit2allow -w
> >
> >
> > Create your new policy for Dovecot and install it:
> > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
> > semodule -i dovecot_custom.pp
> >
> >
> > --
> > Alex JOST
>
>
>
>
> Or just label the directory with mail_home_rw_t
>
>
> ---
> Aki Tuomi
>
I took the time to document suitable approach to this problem. You can check it
here https://github.com/dovecot/documentation/pull/63/files
Aki
Re: Missing permissions
On 11/04/2020 15:47 Alex JOST <
jost+li...@dimejo.at> wrote:
Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
Hi,
After configuring systemd unit with ReadWritePaths=/home/mail, I get the
following error logs in audit:
type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
I have SELinux enabled, on CentOS.
If I run:
audit2why < /var/log/audit/audit.log
I get:
type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
I think it's important to know that I'm trying to use dovecot with virtual
users. If I try to configure it with PAM authentication using system users,
it works well.
Any suggestions on this?
Looks like /home/mail as mail store isn't included in the default
SELinux policy. Did you make sure that the correct SELinux type is set
on the directories?
https://www.unix.com/man-page/centos/8/dovecot_selinux/
If this isn't enough to get you going you might need to create your own
policy. The following steps should be all that it takes to create your
own policy.
Check that grep includes only lines that you want included in your new
policy:
grep dovecot /var/log/audit/audit.log | audit2allow -w
Create your new policy for Dovecot and install it:
grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
semodule -i dovecot_custom.pp
--
Alex JOST
Or just label the directory with mail_home_rw_t
---
Aki Tuomi
Re: Missing permissions
Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
Hi,
After configuring systemd unit with ReadWritePaths=/home/mail, I get the
following error logs in audit:
type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
I have SELinux enabled, on CentOS.
If I run:
audit2why < /var/log/audit/audit.log
I get:
type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
I think it's important to know that I'm trying to use dovecot with virtual
users. If I try to configure it with PAM authentication using system users,
it works well.
Any suggestions on this?
Looks like /home/mail as mail store isn't included in the default
SELinux policy. Did you make sure that the correct SELinux type is set
on the directories?
https://www.unix.com/man-page/centos/8/dovecot_selinux/
If this isn't enough to get you going you might need to create your own
policy. The following steps should be all that it takes to create your
own policy.
Check that grep includes only lines that you want included in your new
policy:
grep dovecot /var/log/audit/audit.log | audit2allow -w
Create your new policy for Dovecot and install it:
grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
semodule -i dovecot_custom.pp
--
Alex JOST
Re: Missing permissions
Hi,
After configuring systemd unit with ReadWritePaths=/home/mail, I get the
following error logs in audit:
type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap"
type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005
suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
subj=system_u:system_r:dovecot_t:s0 key=(null)
type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap"
I have SELinux enabled, on CentOS.
If I run:
audit2why < /var/log/audit/audit.log
I get:
type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
scontext=system_u:system_r:dovecot_t:s0
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
I think it's important to know that I'm trying to use dovecot with virtual
users. If I try to configure it with PAM authentication using system users,
it works well.
Any suggestions on this?
Mura Andrei
On Sat, Apr 11, 2020 at 10:02 AM Andrei Petru Mura
wrote:
> I think I found here what I'm interested in:
> https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/.
>
> On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura
> wrote:
>
>> Hi Aki,
>>
>> Thanks. I was especially interested in documentation related to dovecot
>> and it's users permissions, the way in which dovecot uses users. Till now I
>> found only spread information on different articles from dovecot's website.
>>
>> Thanks,
>> Mura Andrei
>>
>> On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi
>> wrote:
>>
>>> Hi,
>>>
>>>
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
>>>
>>> although we probably need to add some words into doc.dovecot.org under
>>> known issues.
>>>
>>> Aki
>>>
>>> > On 11/04/2020 09:24 Andrei Petru Mura wrote:
>>> >
>>> >
>>> > Hi Aki,
>>> >
>>> > Any documentation on this topic?
>>> >
>>> > Mura Andrei
>>> >
>>> >
>>> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi
>>> wrote:
>>> > > This is probably caused by systemd (or selinux or both).
>>> > >
>>> > > With systemd, you need to add
>>> > >
>>> > > ReadWritePaths=/home/mail
>>> > >
>>> > > to the systemd unit.
>>> > >
>>> > > Then you can check /var/log/audit/audit.log for any selinux
>>> specific problems. If you are using Centos/Redhat.
>>> > >
>>> > > Aki
>>> > >
>>> > > > On 06/04/2020 17:01 Andrei Petru Mura
>>> wrote:
>>> > > >
>>> > > >
>>> > > > Hi,
>>> > > >
>>> > > > Dovecot version 2.2.36
>>> > > > In log files I get this error:
>>> > > > dovecot: imap(test): Namespace '':
>>> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied
>>> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX
>>> perms appear ok (ACL/MAC wrong?))
>>> > > >
>>> > > > My authentication configuration is this:
>>> > > > passdb {
>>> > > > driver = passwd-file
>>> > > > args = username_format=%n /etc/dovecot/users
>>> > > > }
>>> > > >
>>> > > > userdb {
>>> > > > driver = static
>>> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n
>>> username_format=%n /etc/dovecot/users
>>> > > >
>>> > > > }
>>> > > >
>>> > > > /home/mail/domain/test directory is owned by vmail user.
>>> > > > How to fix this?
>>> > > >
>>> > > > Mura Andrei
>>> > >
>>>
>>
Re: Missing permissions
I think I found here what I'm interested in:
https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/.
On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura
wrote:
> Hi Aki,
>
> Thanks. I was especially interested in documentation related to dovecot
> and it's users permissions, the way in which dovecot uses users. Till now I
> found only spread information on different articles from dovecot's website.
>
> Thanks,
> Mura Andrei
>
> On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi
> wrote:
>
>> Hi,
>>
>>
>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
>>
>> although we probably need to add some words into doc.dovecot.org under
>> known issues.
>>
>> Aki
>>
>> > On 11/04/2020 09:24 Andrei Petru Mura wrote:
>> >
>> >
>> > Hi Aki,
>> >
>> > Any documentation on this topic?
>> >
>> > Mura Andrei
>> >
>> >
>> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi
>> wrote:
>> > > This is probably caused by systemd (or selinux or both).
>> > >
>> > > With systemd, you need to add
>> > >
>> > > ReadWritePaths=/home/mail
>> > >
>> > > to the systemd unit.
>> > >
>> > > Then you can check /var/log/audit/audit.log for any selinux specific
>> problems. If you are using Centos/Redhat.
>> > >
>> > > Aki
>> > >
>> > > > On 06/04/2020 17:01 Andrei Petru Mura wrote:
>> > > >
>> > > >
>> > > > Hi,
>> > > >
>> > > > Dovecot version 2.2.36
>> > > > In log files I get this error:
>> > > > dovecot: imap(test): Namespace '':
>> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied
>> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX
>> perms appear ok (ACL/MAC wrong?))
>> > > >
>> > > > My authentication configuration is this:
>> > > > passdb {
>> > > > driver = passwd-file
>> > > > args = username_format=%n /etc/dovecot/users
>> > > > }
>> > > >
>> > > > userdb {
>> > > > driver = static
>> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n
>> username_format=%n /etc/dovecot/users
>> > > >
>> > > > }
>> > > >
>> > > > /home/mail/domain/test directory is owned by vmail user.
>> > > > How to fix this?
>> > > >
>> > > > Mura Andrei
>> > >
>>
>
Re: Missing permissions
Hi Aki,
Thanks. I was especially interested in documentation related to dovecot and
it's users permissions, the way in which dovecot uses users. Till now I
found only spread information on different articles from dovecot's website.
Thanks,
Mura Andrei
On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi
wrote:
> Hi,
>
>
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
>
> although we probably need to add some words into doc.dovecot.org under
> known issues.
>
> Aki
>
> > On 11/04/2020 09:24 Andrei Petru Mura wrote:
> >
> >
> > Hi Aki,
> >
> > Any documentation on this topic?
> >
> > Mura Andrei
> >
> >
> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi
> wrote:
> > > This is probably caused by systemd (or selinux or both).
> > >
> > > With systemd, you need to add
> > >
> > > ReadWritePaths=/home/mail
> > >
> > > to the systemd unit.
> > >
> > > Then you can check /var/log/audit/audit.log for any selinux specific
> problems. If you are using Centos/Redhat.
> > >
> > > Aki
> > >
> > > > On 06/04/2020 17:01 Andrei Petru Mura wrote:
> > > >
> > > >
> > > > Hi,
> > > >
> > > > Dovecot version 2.2.36
> > > > In log files I get this error:
> > > > dovecot: imap(test): Namespace '':
> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied
> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX
> perms appear ok (ACL/MAC wrong?))
> > > >
> > > > My authentication configuration is this:
> > > > passdb {
> > > > driver = passwd-file
> > > > args = username_format=%n /etc/dovecot/users
> > > > }
> > > >
> > > > userdb {
> > > > driver = static
> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n
> username_format=%n /etc/dovecot/users
> > > >
> > > > }
> > > >
> > > > /home/mail/domain/test directory is owned by vmail user.
> > > > How to fix this?
> > > >
> > > > Mura Andrei
> > >
>
Re: Missing permissions
Hi,
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
although we probably need to add some words into doc.dovecot.org under known
issues.
Aki
> On 11/04/2020 09:24 Andrei Petru Mura wrote:
>
>
> Hi Aki,
>
> Any documentation on this topic?
>
> Mura Andrei
>
>
> On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi wrote:
> > This is probably caused by systemd (or selinux or both).
> >
> > With systemd, you need to add
> >
> > ReadWritePaths=/home/mail
> >
> > to the systemd unit.
> >
> > Then you can check /var/log/audit/audit.log for any selinux specific
> > problems. If you are using Centos/Redhat.
> >
> > Aki
> >
> > > On 06/04/2020 17:01 Andrei Petru Mura wrote:
> > >
> > >
> > > Hi,
> > >
> > > Dovecot version 2.2.36
> > > In log files I get this error:
> > > dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
> > failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w
> > perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
> > >
> > > My authentication configuration is this:
> > > passdb {
> > > driver = passwd-file
> > > args = username_format=%n /etc/dovecot/users
> > > }
> > >
> > > userdb {
> > > driver = static
> > > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
> > /etc/dovecot/users
> > >
> > > }
> > >
> > > /home/mail/domain/test directory is owned by vmail user.
> > > How to fix this?
> > >
> > > Mura Andrei
> >
Re: Missing permissions
Hi Aki,
Any documentation on this topic?
Mura Andrei
On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi wrote:
> This is probably caused by systemd (or selinux or both).
>
> With systemd, you need to add
>
> ReadWritePaths=/home/mail
>
> to the systemd unit.
>
> Then you can check /var/log/audit/audit.log for any selinux specific
> problems. If you are using Centos/Redhat.
>
> Aki
>
> > On 06/04/2020 17:01 Andrei Petru Mura wrote:
> >
> >
> > Hi,
> >
> > Dovecot version 2.2.36
> > In log files I get this error:
> > dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
> failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w
> perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
> >
> > My authentication configuration is this:
> > passdb {
> > driver = passwd-file
> > args = username_format=%n /etc/dovecot/users
> > }
> >
> > userdb {
> > driver = static
> > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
> /etc/dovecot/users
> >
> > }
> >
> > /home/mail/domain/test directory is owned by vmail user.
> > How to fix this?
> >
> > Mura Andrei
>
Re: Missing permissions
Hi Michael,
I don't have apparmour installed in my system.
Mura Andrei
On Mon, Apr 6, 2020 at 10:11 PM Michael Hirmke wrote:
> Hi Andrei,
>
> >Hi,
>
> >Dovecot version 2.2.36
> >In log files I get this error:
> >dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
> >failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w
> >perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
>
> >My authentication configuration is this:
> >passdb {
> > driver = passwd-file
> > args = username_format=%n /etc/dovecot/users
> >}
>
> >userdb {
> > driver = static
> > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
> >/etc/dovecot/users
>
> >}
>
> >/home/mail/domain/test directory is owned by vmail user.
> >How to fix this?
>
> do you have apparmor up and running?
> If so, you have to modify its config for dovecot.
>
> >Mura Andrei
>
> Bye.
> Michael.
> --
> Michael Hirmke
>
Re: Missing permissions
Hi Andrei,
>Hi,
>Dovecot version 2.2.36
>In log files I get this error:
>dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
>failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w
>perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
>My authentication configuration is this:
>passdb {
> driver = passwd-file
> args = username_format=%n /etc/dovecot/users
>}
>userdb {
> driver = static
> args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
>/etc/dovecot/users
>}
>/home/mail/domain/test directory is owned by vmail user.
>How to fix this?
do you have apparmor up and running?
If so, you have to modify its config for dovecot.
>Mura Andrei
Bye.
Michael.
--
Michael Hirmke
Re: Missing permissions
This is probably caused by systemd (or selinux or both).
With systemd, you need to add
ReadWritePaths=/home/mail
to the systemd unit.
Then you can check /var/log/audit/audit.log for any selinux specific problems.
If you are using Centos/Redhat.
Aki
> On 06/04/2020 17:01 Andrei Petru Mura wrote:
>
>
> Hi,
>
> Dovecot version 2.2.36
> In log files I get this error:
> dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
> failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w perm:
> /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
>
> My authentication configuration is this:
> passdb {
> driver = passwd-file
> args = username_format=%n /etc/dovecot/users
> }
>
> userdb {
> driver = static
> args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
> /etc/dovecot/users
>
> }
>
> /home/mail/domain/test directory is owned by vmail user.
> How to fix this?
>
> Mura Andrei
Missing permissions
Hi,
Dovecot version 2.2.36
In log files I get this error:
dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir)
failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w
perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?))
My authentication configuration is this:
passdb {
driver = passwd-file
args = username_format=%n /etc/dovecot/users
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n
/etc/dovecot/users
}
/home/mail/domain/test directory is owned by vmail user.
How to fix this?
Mura Andrei
Re: Inexplicable missing permissions issue
Good day. On 20 September 2017 at 12:07, Timo Sirainen wrote: > > That usually means you've SELinux enabled and it prevents the access. > That appears to have been the issue. I guess Fedora's got a few more complex defaults than I thought. Thank you greatly for your assistance; // Nelson -- // Nelson Crosby /* n...@sourcecomb.com */
Re: Inexplicable missing permissions issue
On 19 Sep 2017, at 5.28, Nelson Crosby wrote: > > I've tried letting Dovecot create this directory, I've tried creating this > directory manually and giving it any permission I can think of, I've tried > playing about with the permissions throughout the entire /var/logmail tree, > but to no avail. That usually means you've SELinux enabled and it prevents the access.
Re: Inexplicable missing permissions issue
Thanks for taking a look. > this is owned by root, and it's complaining about > /var/logmail/**mbox**/ncrosby > and dovecot cannot create this because mbox is only writable by root That's definitely not the issue. As I explained, I've played with permissions through the entire /var/logmail tree (including the /var/logmail/mbox directory). Another configuration in which the exact same message occurs (including the exact same statement about being owned by 0:0): /var/logmail |-- [drwx-- root root] lost+found |-- [drwxrwxr-x root mail] mbox | `-- [drwxr-xr-x ncrosby ncrosby ] ncrosby `-- [drwxrwxr-x root mail] spool |-- [-rw-rw fedora mail] fedora `-- [-rw-rw ncrosby mail] ncrosby 4 directories, 2 files Your time is appreciated; // Nelson -- // Nelson Crosby /* nels...@sourcecomb.com */
Re: Inexplicable missing permissions issue
On 19.09.2017 05:28, Nelson Crosby wrote: > Greetings all. > > I've been having great difficulty getting Dovecot working. I'm getting > stuck with using mbox directories outside of /home. Dovecot keeps giving > me this message: > > imap(ncrosby): Namespace '': stat(/var/logmail/mbox/ncrosby) failed: > Permis > sion denied (euid=1001(ncrosby) egid=1001(ncrosby) missing +w perm: > /var/lo > gmail/mbox/ncrosby stat(/var/logmail/mbox/ncrosby) failed: Permission > denie > d, dir owned by 0:0 mode=0755) in=0 out=340 > > I've tried letting Dovecot create this directory, I've tried creating this > directory manually and giving it any permission I can think of, I've tried > playing about with the permissions throughout the entire /var/logmail tree, > but to no avail. > > Below is my setup. I appreciate any input. > > Here's `tree -apug /var/logmail`: > > /var/logmail > ├── [drwx-- root root] lost+found > ├── [drwxr-xr-x root root] mbox this is owned by root, and it's complaining about /var/logmail/**mbox**/ncrosby and dovecot cannot create this because mbox is only writable by root Aki
Inexplicable missing permissions issue
Greetings all.
I've been having great difficulty getting Dovecot working. I'm getting
stuck with using mbox directories outside of /home. Dovecot keeps giving
me this message:
imap(ncrosby): Namespace '': stat(/var/logmail/mbox/ncrosby) failed: Permis
sion denied (euid=1001(ncrosby) egid=1001(ncrosby) missing +w perm: /var/lo
gmail/mbox/ncrosby stat(/var/logmail/mbox/ncrosby) failed: Permission denie
d, dir owned by 0:0 mode=0755) in=0 out=340
I've tried letting Dovecot create this directory, I've tried creating this
directory manually and giving it any permission I can think of, I've tried
playing about with the permissions throughout the entire /var/logmail tree,
but to no avail.
Below is my setup. I appreciate any input.
Here's `tree -apug /var/logmail`:
/var/logmail
├── [drwx-- root root] lost+found
├── [drwxr-xr-x root root] mbox
└── [drwxrwxr-x root mail] spool
├── [-rw-rw fedora mail] fedora
└── [-rw-rw ncrosby mail] ncrosby
3 directories, 2 files
And permissions for `/var/logmail` itself:
drwxr-xr-x. 5 root root 4096 Sep 19 01:52 .
And now `doveconf -n`:
# 2.2.31 (65cde28): /etc/dovecot/dovecot.conf
# OS: Linux 4.11.8-300.fc26.x86_64 x86_64 Fedora release 26
(Twenty Six) ext4
disable_plaintext_auth = no
mail_location = mbox:/var/logmail/mbox/%n:INBOX=/var/logmail/spool/%n
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = dovecot
driver = pam
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
ssl = no
ssl_cert =
