dovecot being blocked by selinux? could you please advice?
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 7 of 7
  1. #1
    Join Date
    Feb 2015
    Location
    Online
    Posts
    48
    Linux (Fedora) Firefox 61.0

    dovecot being blocked by selinux? (fixed)

    got it fixed by

    touch /.autorelabel
    reboot

    type=AVC msg=audit(1530909442.543:4021): avc: denied { write } for pid=7232 comm="lmtp" name="vmail" dev="vda1" ino=642486 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0

    drwxrwx---. 2 vmail mail 4096 permission for the mail folder.

    failed: Permission denied (euid=150(vmail) egid=8(mem) UNIX perms appear ok (ACL/MAC wrong?))
    Last edited by Anonymous; 9th July 2018 at 01:32 AM.

  2. #2
    PabloTwo's Avatar
    PabloTwo is offline "Registered User" T-Shirt Winner
    Join Date
    Mar 2007
    Location
    Seville, FL
    Posts
    7,834
    Linux Chrome 67.0.3396.99

    Re: dovecot being blocked by selinux? could you please advice?

    How about adding the user to the "mail" group?

    Or a possible workaround as suggested here.
    Last edited by PabloTwo; 8th July 2018 at 07:35 PM.

  3. #3
    Join Date
    Feb 2015
    Location
    Online
    Posts
    48
    Linux (Fedora) Firefox 61.0

    Re: dovecot being blocked by selinux? could you please advice?

    What do I put for file type?

    SELinux is preventing lmtp from write access on the directory vmail.

    ***** Plugin catchall_labels (83.8 confidence) suggests *******************

    If you want to allow lmtp to have write access on the vmail directory
    Then you need to change the label on vmail
    Do
    # semanage fcontext -a -t FILE_TYPE 'vmail'
    where FILE_TYPE is one of the following: admin_home_t, cache_home_t, config_home_t, data_home_t, dovecot_spool_t, dovecot_tmp_t, dovecot_var_lib_t, dovecot_var_log_t, dovecot_var_run_t, gconf_home_t, gnome_home_t, httpd_user_content_t, httpd_user_script_exec_t, krb5_host_rcache_t, mail_home_rw_t, mail_spool_t, mozilla_plugin_rw_t, postfix_private_t, telepathy_cache_home_t, telepathy_data_home_t, tmp_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, var_lib_t, var_log_t, var_run_t, virt_home_t.
    Then execute:
    restorecon -v 'vmail'

  4. #4
    PabloTwo's Avatar
    PabloTwo is offline "Registered User" T-Shirt Winner
    Join Date
    Mar 2007
    Location
    Seville, FL
    Posts
    7,834
    Linux Chrome 67.0.3396.99

    Re: dovecot being blocked by selinux? could you please advice?

    Good question, and one that I can't answer. But I would suspect that depends on where the vmail directory is located and possibly who/what is trying to access it. Surely there are those much more qualified to give direction here than myself..

  5. #5
    Join Date
    Dec 2012
    Location
    santa barbara, CA
    Posts
    956
    Linux (Fedora) Firefox 61.0

    Re: dovecot being blocked by selinux? could you please advice?

    my $0.02:
    "Those Who Sacrifice Liberty For Security Deserve Neither" -- Benjamin Franklin

    I see no point in running selinux in a personal PC, the cr4p only makes sense in a multi-user system, somewhere deep in a military bunker.
    "monsters John ... monsters from the ID..."
    "ma vule teva maar gul nol naya"

  6. #6
    Join Date
    Feb 2015
    Location
    Online
    Posts
    48
    Linux (Fedora) Firefox 61.0

    Re: dovecot being blocked by selinux? could you please advice?

    Bob this is for fedora server a (mail server) not a personal pc
    Last edited by Anonymous; 9th July 2018 at 12:07 AM.

  7. #7
    Join Date
    Dec 2012
    Location
    santa barbara, CA
    Posts
    956
    Linux (Fedora) Firefox 61.0

    Re: dovecot being blocked by selinux? could you please advice?

    Quote Originally Posted by Anonymous
    Bob this is for fedora server a (mail server) not a personal pc
    zorri.
    well, here *( my mail server, last time it was hacked, was before the big bang, i.e. never, and it never will).

    Code:
    [root@mail ~]# grep disable /etc/selinux/config
    SELINUX=disabled
    SELINUXTYPE=disabled
    Code:
    [root@mail ~]# ps -ef | grep dovecot
    root       700   675  0 19:04 pts/0    00:00:00 grep --color=auto dovecot
    root       826     1  0 Jun30 ?        00:00:02 /usr/sbin/dovecot
    dovenull   828   826  0 Jun30 ?        00:00:00 dovecot/imap-login
    dovecot    829   826  0 Jun30 ?        00:00:00 dovecot/anvil
    root       830   826  0 Jun30 ?        00:00:00 dovecot/log
    root       832   826  0 Jun30 ?        00:00:02 dovecot/config
    dovecot    833   826  0 Jun30 ?        00:00:04 dovecot/auth
    
    [root@mail ~]# systemctl status dovecot
    ● dovecot.service - Dovecot IMAP/POP3 email server
       Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
       Active: active (running) since Sat 2018-06-30 05:11:17 CEST; 1 weeks 2 days ago
         Docs: man:dovecot(1)
               http://wiki2.dovecot.org/
     Main PID: 826 (dovecot)
        Tasks: 6 (limit: 4915)
       CGroup: /system.slice/dovecot.service
               ├─826 /usr/sbin/dovecot
               ├─828 dovecot/imap-login
               ├─829 dovecot/anvil
               ├─830 dovecot/log
               ├─832 dovecot/config
               └─833 dovecot/auth
    IMHO , selinux is just NSA's backdoor to my comps (since it was built by them), Ergo, I just will never, EVER use that stuff. period. and I am safer than the ones using it.

    EDIT: in fact I know several heavy programming dudes that won't go linux due to SElinux. I tested Manjaro, like klerksdorp here suggested, but the package support for it is not up to par. So if I could have my Fedora recompiled without any NSA cr4p, I would.
    The words "safety", "security", "enforcement", are loved by the paranoid masters we all serve.
    Last edited by bobx001; 9th July 2018 at 06:15 PM.
    "monsters John ... monsters from the ID..."
    "ma vule teva maar gul nol naya"

Similar Threads

  1. NetworkManager blocked by SELinux
    By Kakao in forum Servers & Networking
    Replies: 2
    Last Post: 15th February 2011, 05:49 PM
  2. NTP is blocked by SElinux
    By linus_leung in forum Using Fedora
    Replies: 1
    Last Post: 18th July 2009, 06:27 PM
  3. Ports still blocked with SELinux/iptables disabled
    By Solipsism in forum Servers & Networking
    Replies: 1
    Last Post: 27th December 2008, 02:12 AM
  4. UPnP blocked? FW & SELinux disabled
    By jcarr in forum Using Fedora
    Replies: 0
    Last Post: 23rd November 2004, 04:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •