Hi John,
just for completeness, here are the additional policies to SELinux that
I had enabled (prior to semanage permissive -a dovecot_auth_t):
#============= dovecot_auth_t ==============
#!!!! This avc is allowed in the current policy
allow dovecot_auth_t dovecot_t:tcp_socket { accept getattr };
#!!!! This avc is allowed in the current policy
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
With these, I do not see any avc in audit.log, but see the core dump.
Best regards
Alex
On Mon, 2023-11-20 at 08:47 +0100, Alexander Vogt wrote:
> Hi John,
>
> thanks - yes, this is a new setup (I am migrating to CentOS 9). SELinux
> is enabled, but audit.log does not show an AVC. However, I ran
>
> semanage permissive -a dovecot_t
>
> and I am now able to dump the core. It is attached. With
>
> semanage permissive -a dovecot_auth_t
>
> auth seems to work. Now that it is established that the issue is due to
> SELinux, I need to figure out how to solve it. SELinux was one of the
> key motivations for the migration :)
> Could you see what is going on from the dump?
>
> Best regards
> Alex
>
>
> On Sun, 2023-11-19 at 20:39 -0500, John Stoffel wrote:
> > > > > > > "Alexander" == Alexander Vogt via dovecot <dovecot@dovecot.org>
> > > > > > > writes:
> >
> > Is this a new setup? Do you have SELinux enabled? Or are you doing
> > chroot'd setup? If so, back it all off one by one and see what's
> > going on. The fact that you can't dump core because you can't write
> > somewhere tells me that your systems is locked down really hard in
> > some manner.
> >
> > The fd not supporting epoll() is also suspect to me. Can you give
> > more details on your system setup? Do you have apparmor turned on?
> > Have you looked in your system logs as well?
> >
> > John
> >
> >
> > > dovecot auth service is failing when using an inet_service. The
> > > configuration is essentially:
> >
> > > service auth {
> > > inet_listener {
> > > address = *
> > > port = 12345
> > > }
> > > unix_listener auth-userdb {
> > > group = vmail
> > > mode = 0666
> > > user = vmail
> > > }
> > > }
> >
> > > When I connect to port 12345 (real IMAP client or telnet doesn't make a
> > > difference), the auth service crashes.
> >
> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Panic:
> > > epoll_ctl(add, 13) failed: Operation not permitted (fd doesn't support
> > > epoll)
> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Error: Raw
> > > backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x46)
> > > [0x7f9319f89486] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x22) [0x7f9319f895a2]
> > -> /usr/lib64/dovecot/libdovecot.so.0(+0x10a41b) [0x7f9319f9841b] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(+0x10a4b7) [0x7f9319f984b7] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(+0x5d11a) [0x7f9319eeb11a] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(+0x609b0) [0x7f9319eee9b0] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(+0x1215ba) [0x7f9319faf5ba] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(io_add_to+0x1d) [0x7f9319faf62d] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(io_add+0x28) [0x7f9319faf668] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(master_service_io_listeners_add+0x8a
> > > ) [0x7f9319f1d16a] ->
> > > /usr/lib64/dovecot/libdovecot.so.0(master_service_init_finish+0xff)
> > > [0x7f9319f24bdf] -> dovecot/auth(main+0x389) [0x55745603a4f9] ->
> > > /lib64/libc.so.6(+0x3feb0) [0x7f931963feb0] ->
> > > /lib64/libc.so.6(__libc_start_main+0x80) [0x7f931963ff60] ->
> > > dovecot/auth(_start+0x25) [0x55745603a715]
> >
> > > System info (sysreport attached):
> > > # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
> > > # Pigeonhole version 0.5.16 (09c29328)
> > > # OS: Linux 5.14.0-383.el9.x86_64 x86_64 CentOS Stream release 9
> >
> > > This exact configuration is known to work on this system:
> > > # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
> > > # Pigeonhole version 0.4.21 (92477967)
> >
> > > I tried for almost two hours to get a core dump for this, but finally
> > > gave up. I followed https://www.dovecot.org/bugreport-mail/#coredumps
> > > and other sources but the best I could get was
> >
> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Fatal: master:
> > > service(auth): child 7198 killed with signal 6 (core not dumped -
> > > https://dovecot.org/bugreport.html#coredumps - core wasn't writable?)
> >
> > > for
> >
> > > cat /proc/sys/kernel/core_pattern
> > > /tmp/core.%e.%p
> >
> > > (which is 1777).
> >
> > > Any help to get this resolved would be much appreciated!
> > > Thanks and best regards
> > > Alex
> > > [DELETED ATTACHMENT dovecot-sysreport-imap.linexus.de-1700427979.tar.gz,
> > > application/x-compressed-tar]
> > > _______________________________________________
> > > dovecot mailing list -- dovecot@dovecot.org
> > > To unsubscribe send an email to dovecot-le...@dovecot.org
> > _______________________________________________
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
>
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
