hello all,
I believe that my issue could be related to selinux.
I’ma newbie with selinux but I dont want to disable it.
I tried to enable write access to everyone on /home folder (chmod 777 /home)
and in this way home folder tree is created when the first email is delivered, but as you can see from ls output:
ls -laZ /home/
drwx------. 3 ivan domain users unconfined_u:object_r:user_home_dir_t:s0 248 Oct 5 17:31 ivan
drwx------. 3 testivan domain users system_u:object_r:home_root_t:s0 21 Oct 7 14:33 testivan
the first home folder has been created when the user connected on server via SSH, the second one has been created by dovecot LMTP or IMAP
as you can see, the se permission are different on 2 home folders and, even if the directory is correctly created, the message connot be delivered on the Maildir folder.
Oct 7 15:26:44 dt-sl-mail setroubleshoot[55495]: SELinux is preventing /usr/libexec/dovecot/imap from create access on the file mailboxes.lock4722088b443a5514. For complete SELinux messages run: sealert -l 095ce080-5405-4de3-980b-30c2b2d3dc3f
Oct 7 15:26:44 dt-sl-mail setroubleshoot[55495]: SELinux is preventing /usr/libexec/dovecot/imap from create access on the file mailboxes.lock4722088b443a5514.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that imap should be allowed create access on the mailboxes.lock4722088b443a5514 file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'imap' --raw | audit2allow -M my-imap#012# semodule -X 300 -i my-imap.pp#012
this is the sealert output:
sealert -l 095ce080-5405-4de3-980b-30c2b2d3dc3f
SELinux is preventing /usr/libexec/dovecot/imap from create access on the file mailboxes.lock907fc1763d8833c8.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that imap should be allowed create access on the mailboxes.lock907fc1763d8833c8 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'imap' --raw | audit2allow -M my-imap
# semodule -X 300 -i my-imap.pp
Additional Information:
Source Context system_u:system_r:dovecot_t:s0
Target Context system_u:object_r:home_root_t:s0
Target Objects mailboxes.lock907fc1763d8833c8 [ file ]
Source imap
Source Path /usr/libexec/dovecot/imap
Port <Unknown>
Host dt-sl-mail
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name dt-sl-mail
Platform Linux dt-sl-mail 4.18.0-305.19.1.el8_4.x86_64 #1
SMP Wed Sep 15 19:12:32 UTC 2021 x86_64 x86_64
Alert Count 107
First Seen 2021-10-07 14:25:28 CEST
Last Seen 2021-10-07 15:36:36 CEST
Local ID 095ce080-5405-4de3-980b-30c2b2d3dc3f
Raw Audit Messages
type=AVC msg=audit(1633613796.754:2244): avc: denied { create } for pid=55829 comm="imap" name="mailboxes.lock907fc1763d8833c8" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=0
Hash: imap,dovecot_t,home_root_t,file,create
I tried to run the commands explained but nothing is changed.
these are other dovecot errors:
Oct 7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: open(/home/testivan) failed: Permission denied
Oct 7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: mkdir(/home/testivan/Maildir) failed: Permission denied (euid=401401110(testivan) egid=401400513(domain users) stat(/home/testivan/Maildir) failed: No such file or directory)
Oct 7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: open(/home/testivan/Maildir) failed: Permission denied
Oct 7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: mkdir(/home/testivan/Maildir) failed: Permission denied (euid=401401110(testivan) egid=401400513(domain users) UNIX perms appear ok (ACL/MAC wrong?))
Oct 7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: lmtp-server: conn unix:pid=55076,uid=89 [1]: rcpt testivan@devoteam.it: Mailbox INBOX: Failed to autocreate mailbox: Internal error occurred. Refer to server log for more information. [2021-10-07 15:26:45]
Oct 7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: sieve: msgid=<DSNr7Mz-vdaTrvc@mail.devoteam.it>: failed to store into mailbox 'INBOX': Internal error occurred. Refer to server log for more information. [2021-10-07 15:26:45]
Oct 7 15:26:45 dt-sl-mail dovecot[2920]: lmtp(testivan)<55607><qZCTGZX1XmE32QAAkHUkcQ>: Error: sieve: Execution of script /var/spool/mail/SpamToJunk.sieve was aborted due to temporary failure
could you help me to find the right way to set selinux permission?
thanks
Ivan