Hi all, I am in the process of migrating a dovecot installation from RHEL8 to RHEL9, this time round I am trying to get everything to work in selinux enforcing mode.
First error I am stuck on is as follows: Error: sieve: file storage: Failed to stat sieve storage path: stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied (euid=377(vmail) egid=376(vmail) missing +x perm: /var/lib/dovecot, we're not in group 97(dovecot), dir owned by 97:97 mode=0750) It appears that the vmail user cannot access /var/lib/dovecot, because under RHEL9 the permissions are hidden to the world. [root@seawitch dovecot]# ls -al /var/lib/dovecot total 12 drwxr-x---. 3 dovecot dovecot 36 Jul 21 17:51 . Am I correct in interpreting the error message as meaning that /var/lib/dovecot/sieve is not a correct directory for global sieve scripts, and they need to go somewhere else? If they do need to go somewhere else, in the world of enforcing selinux, where do they go? While dovecot-selinux is documented, sieve is not mentioned: https://linux.die.net/man/8/dovecot_selinux So, let’s work around the above error by adding the vmail user to the dovvecot group. Is this even a good idea? /usr/sbin/usermod -a -G dovecot vmail Now we hit the next error: Error: sieve: file storage: Failed to stat sieve storage path: stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied (euid=380(vmail) egid=378(vmail) missing +w perm: /var/lib/dovecot/sieve/vacation.sieve stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied, dir owned by 0:0 mode=0755) This error is weird. Dovecot is trying to open the original vacation.sieve source file for write - why? We have pre-compiled all the global sieve scripts: [root@marcopolo ~]# ls -al /var/lib/dovecot/sieve/ total 36 drwxr-xr-x. 5 root root 4096 Jul 21 17:29 . drwxr-x---. 3 dovecot dovecot 36 Jul 21 17:29 .. -rwxr-xr-x. 1 root root 284 Jul 21 08:47 junk.sieve -rw-r--r--. 1 root root 277 Jul 21 17:29 junk.svbin -rwxr-xr-x. 1 root root 316 Jul 21 08:47 report-ham.sieve -rw-r--r--. 1 root root 476 Jul 21 17:29 report-ham.svbin -rwxr-xr-x. 1 root root 201 Jul 21 08:47 report-spam.sieve -rw-r--r--. 1 root root 382 Jul 21 17:29 report-spam.svbin drwxr-xr-x. 2 root root 6 Jul 21 08:47 sieve-execute drwxr-xr-x. 2 root root 6 Jul 21 08:47 sieve-filter drwxr-xr-x. 2 root root 6 Jul 21 08:47 sieve-pipe -rwxr-xr-x. 1 root root 309 Jul 21 08:47 vacation.sieve -rw-r--r--. 1 root root 558 Jul 21 17:29 vacation.svbin Is the error perhaps inaccurate, and it’s trying to open a temp file for write, failing (correctly, it has no business opening a temp file for write at this point), and then claiming the failure on the temp file is a failure on the source file? So to sum up: - In an SELinux world of Redhat, what directory do global sieve scripts go? - What permissions and selinux context are required on the global sieve scripts directory? Regards, Graham — _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
