Re: Missing permissions
Hi Aki, You did a great job. God bless you! :) I think it will work now. I'll come with feedback if that's the case after applying this on my server. I just want to mention one little thing bellow (which possibly has some importance). In my system, instead of /home/mail/domain/test/Maildir, I have */some_other_custom_dir/mail/my_domain_name/test/Maildir/*. From *dovecot_selinux*'s man page I can see that *mail_home_rw_t *directories are: /root/Maildir(/.*)? /root/.esmtp_queue(/.*)? /home/[^/]+/.maildir(/.*)? /home/[^/]+/Maildir(/.*)? /home/[^/]+/.esmtp_queue(/.*)? which anyway, seems to me, doesn't match the initial directory path which I provided (it's the first time when I knowledgeably interact with SELinux). I think this shouldn't impact the documented issue, but if you think it does, I wanted to inform you. Thanks and have a nice day, Mura Andrei On Sun, Apr 12, 2020 at 10:52 PM Aki Tuomi wrote: > > > On 11/04/2020 15:57 Aki Tuomi wrote: > > > > > > > > > > > On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote: > > > > > > > > > > > > > > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: > > > > Hi, > > > > > > > > > > > > After configuring systemd unit with ReadWritePaths=/home/mail, I get > the > > > > following error logs in audit: > > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for > > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 > > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2= > a3=fcd8 > > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 > euid=1005 > > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > > type=PROCTITLE msg=audit(1586604621.637:6736): > proctitle="dovecot/imap" > > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for > > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 > > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe > > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 > euid=1005 > > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > > type=PROCTITLE msg=audit(1586604621.638:6737): > proctitle="dovecot/imap" > > > > > > > > > > > > I have SELinux enabled, on CentOS. > > > > If I run: > > > > audit2why < /var/log/audit/audit.log > > > > > > > > > > > > I get: > > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for > > > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > > > > > > > > > Was caused by: > > > > Missing type enforcement (TE) allow rule. > > > > > > > > > > > > I think it's important to know that I'm trying to use dovecot with > virtual > > > > users. If I try to configure it with PAM authentication using system > users, > > > > it works well. > > > > > > > > > > > > Any suggestions on this? > > > Looks like /home/mail as mail store isn't included in the default > > > SELinux policy. Did you make sure that the correct SELinux type is set > > > on the directories? > > > https://www.unix.com/man-page/centos/8/dovecot_selinux/ > > > > > > > > > > > > > > > If this isn't enough to get you going you might need to create your own > > > policy. The following steps should be all that it takes to create your > > > own policy. > > > > > > > > > Check that grep includes only lines that you want included in your new > > > policy: > > > grep dovecot /var/log/audit/audit.log | audit2allow -w > > > > > > > > > Create your new policy for Dovecot and install it: > > > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom > > > semodule -i dovecot_custom.pp > > > > > > > > > -- > > > Alex JOST > > > > > > > > > > Or just label the directory with mail_home_rw_t > > > > > > --- > > Aki Tuomi > > > > I took the time to document suitable approach to this problem. You can > check it here https://github.com/dovecot/documentation/pull/63/files > > Aki >
Re: Missing permissions
> On 11/04/2020 15:57 Aki Tuomi wrote: > > > > > > On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote: > > > > > > > > > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: > > > Hi, > > > > > > > > > After configuring systemd unit with ReadWritePaths=/home/mail, I get the > > > following error logs in audit: > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > scontext=system_u:system_r:dovecot_t:s0 > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8 > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > scontext=system_u:system_r:dovecot_t:s0 > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap" > > > > > > > > > I have SELinux enabled, on CentOS. > > > If I run: > > > audit2why < /var/log/audit/audit.log > > > > > > > > > I get: > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for > > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > scontext=system_u:system_r:dovecot_t:s0 > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 > > > > > > > > > Was caused by: > > > Missing type enforcement (TE) allow rule. > > > > > > > > > I think it's important to know that I'm trying to use dovecot with virtual > > > users. If I try to configure it with PAM authentication using system > > > users, > > > it works well. > > > > > > > > > Any suggestions on this? > > Looks like /home/mail as mail store isn't included in the default > > SELinux policy. Did you make sure that the correct SELinux type is set > > on the directories? > > https://www.unix.com/man-page/centos/8/dovecot_selinux/ > > > > > > > > > > If this isn't enough to get you going you might need to create your own > > policy. The following steps should be all that it takes to create your > > own policy. > > > > > > Check that grep includes only lines that you want included in your new > > policy: > > grep dovecot /var/log/audit/audit.log | audit2allow -w > > > > > > Create your new policy for Dovecot and install it: > > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom > > semodule -i dovecot_custom.pp > > > > > > -- > > Alex JOST > > > > > Or just label the directory with mail_home_rw_t > > > --- > Aki Tuomi > I took the time to document suitable approach to this problem. You can check it here https://github.com/dovecot/documentation/pull/63/files Aki
Re: Missing permissions
On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote: Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: Hi, After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit: type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap" I have SELinux enabled, on CentOS. If I run: audit2why < /var/log/audit/audit.log I get: type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. I think it's important to know that I'm trying to use dovecot with virtual users. If I try to configure it with PAM authentication using system users, it works well. Any suggestions on this? Looks like /home/mail as mail store isn't included in the default SELinux policy. Did you make sure that the correct SELinux type is set on the directories? https://www.unix.com/man-page/centos/8/dovecot_selinux/ If this isn't enough to get you going you might need to create your own policy. The following steps should be all that it takes to create your own policy. Check that grep includes only lines that you want included in your new policy: grep dovecot /var/log/audit/audit.log | audit2allow -w Create your new policy for Dovecot and install it: grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom semodule -i dovecot_custom.pp -- Alex JOST Or just label the directory with mail_home_rw_t --- Aki Tuomi
Re: Missing permissions
Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: Hi, After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit: type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap" I have SELinux enabled, on CentOS. If I run: audit2why < /var/log/audit/audit.log I get: type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. I think it's important to know that I'm trying to use dovecot with virtual users. If I try to configure it with PAM authentication using system users, it works well. Any suggestions on this? Looks like /home/mail as mail store isn't included in the default SELinux policy. Did you make sure that the correct SELinux type is set on the directories? https://www.unix.com/man-page/centos/8/dovecot_selinux/ If this isn't enough to get you going you might need to create your own policy. The following steps should be all that it takes to create your own policy. Check that grep includes only lines that you want included in your new policy: grep dovecot /var/log/audit/audit.log | audit2allow -w Create your new policy for Dovecot and install it: grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom semodule -i dovecot_custom.pp -- Alex JOST
Re: Missing permissions
Hi, After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit: type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap" I have SELinux enabled, on CentOS. If I run: audit2why < /var/log/audit/audit.log I get: type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. I think it's important to know that I'm trying to use dovecot with virtual users. If I try to configure it with PAM authentication using system users, it works well. Any suggestions on this? Mura Andrei On Sat, Apr 11, 2020 at 10:02 AM Andrei Petru Mura wrote: > I think I found here what I'm interested in: > https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/. > > On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura > wrote: > >> Hi Aki, >> >> Thanks. I was especially interested in documentation related to dovecot >> and it's users permissions, the way in which dovecot uses users. Till now I >> found only spread information on different articles from dovecot's website. >> >> Thanks, >> Mura Andrei >> >> On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi >> wrote: >> >>> Hi, >>> >>> >>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= >>> >>> although we probably need to add some words into doc.dovecot.org under >>> known issues. >>> >>> Aki >>> >>> > On 11/04/2020 09:24 Andrei Petru Mura wrote: >>> > >>> > >>> > Hi Aki, >>> > >>> > Any documentation on this topic? >>> > >>> > Mura Andrei >>> > >>> > >>> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi >>> wrote: >>> > > This is probably caused by systemd (or selinux or both). >>> > > >>> > > With systemd, you need to add >>> > > >>> > > ReadWritePaths=/home/mail >>> > > >>> > > to the systemd unit. >>> > > >>> > > Then you can check /var/log/audit/audit.log for any selinux >>> specific problems. If you are using Centos/Redhat. >>> > > >>> > > Aki >>> > > >>> > > > On 06/04/2020 17:01 Andrei Petru Mura >>> wrote: >>> > > > >>> > > > >>> > > > Hi, >>> > > > >>> > > > Dovecot version 2.2.36 >>> > > > In log files I get this error: >>> > > > dovecot: imap(test): Namespace '': >>> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied >>> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX >>> perms appear ok (ACL/MAC wrong?)) >>> > > > >>> > > > My authentication configuration is this: >>> > > > passdb { >>> > > > driver = passwd-file >>> > > > args = username_format=%n /etc/dovecot/users >>> > > > } >>> > > > >>> > > > userdb { >>> > > > driver = static >>> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n >>> username_format=%n /etc/dovecot/users >>> > > > >>> > > > } >>> > > > >>> > > > /home/mail/domain/test directory is owned by vmail user. >>> > > > How to fix this? >>> > > > >>> > > > Mura Andrei >>> > > >>> >>
Re: Missing permissions
I think I found here what I'm interested in: https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/. On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura wrote: > Hi Aki, > > Thanks. I was especially interested in documentation related to dovecot > and it's users permissions, the way in which dovecot uses users. Till now I > found only spread information on different articles from dovecot's website. > > Thanks, > Mura Andrei > > On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi > wrote: > >> Hi, >> >> >> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= >> >> although we probably need to add some words into doc.dovecot.org under >> known issues. >> >> Aki >> >> > On 11/04/2020 09:24 Andrei Petru Mura wrote: >> > >> > >> > Hi Aki, >> > >> > Any documentation on this topic? >> > >> > Mura Andrei >> > >> > >> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi >> wrote: >> > > This is probably caused by systemd (or selinux or both). >> > > >> > > With systemd, you need to add >> > > >> > > ReadWritePaths=/home/mail >> > > >> > > to the systemd unit. >> > > >> > > Then you can check /var/log/audit/audit.log for any selinux specific >> problems. If you are using Centos/Redhat. >> > > >> > > Aki >> > > >> > > > On 06/04/2020 17:01 Andrei Petru Mura wrote: >> > > > >> > > > >> > > > Hi, >> > > > >> > > > Dovecot version 2.2.36 >> > > > In log files I get this error: >> > > > dovecot: imap(test): Namespace '': >> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied >> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX >> perms appear ok (ACL/MAC wrong?)) >> > > > >> > > > My authentication configuration is this: >> > > > passdb { >> > > > driver = passwd-file >> > > > args = username_format=%n /etc/dovecot/users >> > > > } >> > > > >> > > > userdb { >> > > > driver = static >> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n >> username_format=%n /etc/dovecot/users >> > > > >> > > > } >> > > > >> > > > /home/mail/domain/test directory is owned by vmail user. >> > > > How to fix this? >> > > > >> > > > Mura Andrei >> > > >> >
Re: Missing permissions
Hi Aki, Thanks. I was especially interested in documentation related to dovecot and it's users permissions, the way in which dovecot uses users. Till now I found only spread information on different articles from dovecot's website. Thanks, Mura Andrei On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi wrote: > Hi, > > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= > > although we probably need to add some words into doc.dovecot.org under > known issues. > > Aki > > > On 11/04/2020 09:24 Andrei Petru Mura wrote: > > > > > > Hi Aki, > > > > Any documentation on this topic? > > > > Mura Andrei > > > > > > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi > wrote: > > > This is probably caused by systemd (or selinux or both). > > > > > > With systemd, you need to add > > > > > > ReadWritePaths=/home/mail > > > > > > to the systemd unit. > > > > > > Then you can check /var/log/audit/audit.log for any selinux specific > problems. If you are using Centos/Redhat. > > > > > > Aki > > > > > > > On 06/04/2020 17:01 Andrei Petru Mura wrote: > > > > > > > > > > > > Hi, > > > > > > > > Dovecot version 2.2.36 > > > > In log files I get this error: > > > > dovecot: imap(test): Namespace '': > mkdir(/home/mail/domain/test/Maildir) failed: Permission denied > (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX > perms appear ok (ACL/MAC wrong?)) > > > > > > > > My authentication configuration is this: > > > > passdb { > > > > driver = passwd-file > > > > args = username_format=%n /etc/dovecot/users > > > > } > > > > > > > > userdb { > > > > driver = static > > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n > username_format=%n /etc/dovecot/users > > > > > > > > } > > > > > > > > /home/mail/domain/test directory is owned by vmail user. > > > > How to fix this? > > > > > > > > Mura Andrei > > > >
Re: Missing permissions
Hi, https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= although we probably need to add some words into doc.dovecot.org under known issues. Aki > On 11/04/2020 09:24 Andrei Petru Mura wrote: > > > Hi Aki, > > Any documentation on this topic? > > Mura Andrei > > > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi wrote: > > This is probably caused by systemd (or selinux or both). > > > > With systemd, you need to add > > > > ReadWritePaths=/home/mail > > > > to the systemd unit. > > > > Then you can check /var/log/audit/audit.log for any selinux specific > > problems. If you are using Centos/Redhat. > > > > Aki > > > > > On 06/04/2020 17:01 Andrei Petru Mura wrote: > > > > > > > > > Hi, > > > > > > Dovecot version 2.2.36 > > > In log files I get this error: > > > dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir) > > failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w > > perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?)) > > > > > > My authentication configuration is this: > > > passdb { > > > driver = passwd-file > > > args = username_format=%n /etc/dovecot/users > > > } > > > > > > userdb { > > > driver = static > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n > > /etc/dovecot/users > > > > > > } > > > > > > /home/mail/domain/test directory is owned by vmail user. > > > How to fix this? > > > > > > Mura Andrei > >
Re: Missing permissions
Hi Aki, Any documentation on this topic? Mura Andrei On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi wrote: > This is probably caused by systemd (or selinux or both). > > With systemd, you need to add > > ReadWritePaths=/home/mail > > to the systemd unit. > > Then you can check /var/log/audit/audit.log for any selinux specific > problems. If you are using Centos/Redhat. > > Aki > > > On 06/04/2020 17:01 Andrei Petru Mura wrote: > > > > > > Hi, > > > > Dovecot version 2.2.36 > > In log files I get this error: > > dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir) > failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w > perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?)) > > > > My authentication configuration is this: > > passdb { > > driver = passwd-file > > args = username_format=%n /etc/dovecot/users > > } > > > > userdb { > > driver = static > > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n > /etc/dovecot/users > > > > } > > > > /home/mail/domain/test directory is owned by vmail user. > > How to fix this? > > > > Mura Andrei >
Re: Missing permissions
Hi Michael, I don't have apparmour installed in my system. Mura Andrei On Mon, Apr 6, 2020 at 10:11 PM Michael Hirmke wrote: > Hi Andrei, > > >Hi, > > >Dovecot version 2.2.36 > >In log files I get this error: > >dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir) > >failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w > >perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?)) > > >My authentication configuration is this: > >passdb { > > driver = passwd-file > > args = username_format=%n /etc/dovecot/users > >} > > >userdb { > > driver = static > > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n > >/etc/dovecot/users > > >} > > >/home/mail/domain/test directory is owned by vmail user. > >How to fix this? > > do you have apparmor up and running? > If so, you have to modify its config for dovecot. > > >Mura Andrei > > Bye. > Michael. > -- > Michael Hirmke >
Re: Missing permissions
Hi Andrei, >Hi, >Dovecot version 2.2.36 >In log files I get this error: >dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir) >failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w >perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?)) >My authentication configuration is this: >passdb { > driver = passwd-file > args = username_format=%n /etc/dovecot/users >} >userdb { > driver = static > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n >/etc/dovecot/users >} >/home/mail/domain/test directory is owned by vmail user. >How to fix this? do you have apparmor up and running? If so, you have to modify its config for dovecot. >Mura Andrei Bye. Michael. -- Michael Hirmke
Re: Missing permissions
This is probably caused by systemd (or selinux or both). With systemd, you need to add ReadWritePaths=/home/mail to the systemd unit. Then you can check /var/log/audit/audit.log for any selinux specific problems. If you are using Centos/Redhat. Aki > On 06/04/2020 17:01 Andrei Petru Mura wrote: > > > Hi, > > Dovecot version 2.2.36 > In log files I get this error: > dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir) > failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w perm: > /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?)) > > My authentication configuration is this: > passdb { > driver = passwd-file > args = username_format=%n /etc/dovecot/users > } > > userdb { > driver = static > args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n > /etc/dovecot/users > > } > > /home/mail/domain/test directory is owned by vmail user. > How to fix this? > > Mura Andrei
Missing permissions
Hi, Dovecot version 2.2.36 In log files I get this error: dovecot: imap(test): Namespace '': mkdir(/home/mail/domain/test/Maildir) failed: Permission denied (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX perms appear ok (ACL/MAC wrong?)) My authentication configuration is this: passdb { driver = passwd-file args = username_format=%n /etc/dovecot/users } userdb { driver = static args = uid=vmail gid=vmail home=/home/mail/domain/%n username_format=%n /etc/dovecot/users } /home/mail/domain/test directory is owned by vmail user. How to fix this? Mura Andrei
Re: Inexplicable missing permissions issue
Good day. On 20 September 2017 at 12:07, Timo Sirainen wrote: > > That usually means you've SELinux enabled and it prevents the access. > That appears to have been the issue. I guess Fedora's got a few more complex defaults than I thought. Thank you greatly for your assistance; // Nelson -- // Nelson Crosby /* n...@sourcecomb.com */
Re: Inexplicable missing permissions issue
On 19 Sep 2017, at 5.28, Nelson Crosby wrote: > > I've tried letting Dovecot create this directory, I've tried creating this > directory manually and giving it any permission I can think of, I've tried > playing about with the permissions throughout the entire /var/logmail tree, > but to no avail. That usually means you've SELinux enabled and it prevents the access.
Re: Inexplicable missing permissions issue
Thanks for taking a look. > this is owned by root, and it's complaining about > /var/logmail/**mbox**/ncrosby > and dovecot cannot create this because mbox is only writable by root That's definitely not the issue. As I explained, I've played with permissions through the entire /var/logmail tree (including the /var/logmail/mbox directory). Another configuration in which the exact same message occurs (including the exact same statement about being owned by 0:0): /var/logmail |-- [drwx-- root root] lost+found |-- [drwxrwxr-x root mail] mbox | `-- [drwxr-xr-x ncrosby ncrosby ] ncrosby `-- [drwxrwxr-x root mail] spool |-- [-rw-rw fedora mail] fedora `-- [-rw-rw ncrosby mail] ncrosby 4 directories, 2 files Your time is appreciated; // Nelson -- // Nelson Crosby /* nels...@sourcecomb.com */
Re: Inexplicable missing permissions issue
On 19.09.2017 05:28, Nelson Crosby wrote: > Greetings all. > > I've been having great difficulty getting Dovecot working. I'm getting > stuck with using mbox directories outside of /home. Dovecot keeps giving > me this message: > > imap(ncrosby): Namespace '': stat(/var/logmail/mbox/ncrosby) failed: > Permis > sion denied (euid=1001(ncrosby) egid=1001(ncrosby) missing +w perm: > /var/lo > gmail/mbox/ncrosby stat(/var/logmail/mbox/ncrosby) failed: Permission > denie > d, dir owned by 0:0 mode=0755) in=0 out=340 > > I've tried letting Dovecot create this directory, I've tried creating this > directory manually and giving it any permission I can think of, I've tried > playing about with the permissions throughout the entire /var/logmail tree, > but to no avail. > > Below is my setup. I appreciate any input. > > Here's `tree -apug /var/logmail`: > > /var/logmail > ├── [drwx-- root root] lost+found > ├── [drwxr-xr-x root root] mbox this is owned by root, and it's complaining about /var/logmail/**mbox**/ncrosby and dovecot cannot create this because mbox is only writable by root Aki
Inexplicable missing permissions issue
Greetings all. I've been having great difficulty getting Dovecot working. I'm getting stuck with using mbox directories outside of /home. Dovecot keeps giving me this message: imap(ncrosby): Namespace '': stat(/var/logmail/mbox/ncrosby) failed: Permis sion denied (euid=1001(ncrosby) egid=1001(ncrosby) missing +w perm: /var/lo gmail/mbox/ncrosby stat(/var/logmail/mbox/ncrosby) failed: Permission denie d, dir owned by 0:0 mode=0755) in=0 out=340 I've tried letting Dovecot create this directory, I've tried creating this directory manually and giving it any permission I can think of, I've tried playing about with the permissions throughout the entire /var/logmail tree, but to no avail. Below is my setup. I appreciate any input. Here's `tree -apug /var/logmail`: /var/logmail ├── [drwx-- root root] lost+found ├── [drwxr-xr-x root root] mbox └── [drwxrwxr-x root mail] spool ├── [-rw-rw fedora mail] fedora └── [-rw-rw ncrosby mail] ncrosby 3 directories, 2 files And permissions for `/var/logmail` itself: drwxr-xr-x. 5 root root 4096 Sep 19 01:52 . And now `doveconf -n`: # 2.2.31 (65cde28): /etc/dovecot/dovecot.conf # OS: Linux 4.11.8-300.fc26.x86_64 x86_64 Fedora release 26 (Twenty Six) ext4 disable_plaintext_auth = no mail_location = mbox:/var/logmail/mbox/%n:INBOX=/var/logmail/spool/%n mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = dovecot driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } ssl = no ssl_cert =