Hi Alex,
I don't know anything about SELinux, beyond that it's a pain to work
with and causes all kinds of funky issues. Make sure you turn on
verbose logging with SELinux so that you can see all that it's doing,
but honestly, I cannot help you much more.
John
> just for completeness, here are the additional policies to SELinux that
> I had enabled (prior to semanage permissive -a dovecot_auth_t):
> #============= dovecot_auth_t ==============
> #!!!! This avc is allowed in the current policy
> allow dovecot_auth_t dovecot_t:tcp_socket { accept getattr };
> #!!!! This avc is allowed in the current policy
> allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
> With these, I do not see any avc in audit.log, but see the core dump.
> Best regards
> Alex
> On Mon, 2023-11-20 at 08:47 +0100, Alexander Vogt wrote:
>> Hi John,
>>
>> thanks - yes, this is a new setup (I am migrating to CentOS 9). SELinux
>> is enabled, but audit.log does not show an AVC. However, I ran
>>
>> semanage permissive -a dovecot_t
>>
>> and I am now able to dump the core. It is attached. With
>>
>> semanage permissive -a dovecot_auth_t
>>
>> auth seems to work. Now that it is established that the issue is due to
>> SELinux, I need to figure out how to solve it. SELinux was one of the
>> key motivations for the migration :)
>> Could you see what is going on from the dump?
>>
>> Best regards
>> Alex
>>
>>
>> On Sun, 2023-11-19 at 20:39 -0500, John Stoffel wrote:
>> > > > > > > "Alexander" == Alexander Vogt via dovecot <dovecot@dovecot.org>
>> > > > > > > writes:
>> >
>> > Is this a new setup? Do you have SELinux enabled? Or are you doing
>> > chroot'd setup? If so, back it all off one by one and see what's
>> > going on. The fact that you can't dump core because you can't write
>> > somewhere tells me that your systems is locked down really hard in
>> > some manner.
>> >
>> > The fd not supporting epoll() is also suspect to me. Can you give
>> > more details on your system setup? Do you have apparmor turned on?
>> > Have you looked in your system logs as well?
>> >
>> > John
>> >
>> >
>> > > dovecot auth service is failing when using an inet_service. The
>> > > configuration is essentially:
>> >
>> > > service auth {
>> > > inet_listener {
>> > > address = *
>> > > port = 12345
>> > > }
>> > > unix_listener auth-userdb {
>> > > group = vmail
>> > > mode = 0666
>> > > user = vmail
>> > > }
>> > > }
>> >
>> > > When I connect to port 12345 (real IMAP client or telnet doesn't make a
>> > > difference), the auth service crashes.
>> >
>> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Panic:
>> > > epoll_ctl(add, 13) failed: Operation not permitted (fd doesn't support
>> > > epoll)
>> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Error: Raw
>> > > backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x46)
>> > > [0x7f9319f89486] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x22) [0x7f9319f895a2]
>> > -> /usr/lib64/dovecot/libdovecot.so.0(+0x10a41b) [0x7f9319f9841b] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(+0x10a4b7) [0x7f9319f984b7] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(+0x5d11a) [0x7f9319eeb11a] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(+0x609b0) [0x7f9319eee9b0] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(+0x1215ba) [0x7f9319faf5ba] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(io_add_to+0x1d) [0x7f9319faf62d] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(io_add+0x28) [0x7f9319faf668] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(master_service_io_listeners_add+0x8a
>> > > ) [0x7f9319f1d16a] ->
>> > > /usr/lib64/dovecot/libdovecot.so.0(master_service_init_finish+0xff)
>> > > [0x7f9319f24bdf] -> dovecot/auth(main+0x389) [0x55745603a4f9] ->
>> > > /lib64/libc.so.6(+0x3feb0) [0x7f931963feb0] ->
>> > > /lib64/libc.so.6(__libc_start_main+0x80) [0x7f931963ff60] ->
>> > > dovecot/auth(_start+0x25) [0x55745603a715]
>> >
>> > > System info (sysreport attached):
>> > > # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
>> > > # Pigeonhole version 0.5.16 (09c29328)
>> > > # OS: Linux 5.14.0-383.el9.x86_64 x86_64 CentOS Stream release 9
>> >
>> > > This exact configuration is known to work on this system:
>> > > # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
>> > > # Pigeonhole version 0.4.21 (92477967)
>> >
>> > > I tried for almost two hours to get a core dump for this, but finally
>> > > gave up. I followed https://www.dovecot.org/bugreport-mail/#coredumps
>> > > and other sources but the best I could get was
>> >
>> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Fatal: master:
>> > > service(auth): child 7198 killed with signal 6 (core not dumped -
>> > > https://dovecot.org/bugreport.html#coredumps - core wasn't writable?)
>> >
>> > > for
>> >
>> > > cat /proc/sys/kernel/core_pattern
>> > > /tmp/core.%e.%p
>> >
>> > > (which is 1777).
>> >
>> > > Any help to get this resolved would be much appreciated!
>> > > Thanks and best regards
>> > > Alex
>> > > [DELETED ATTACHMENT dovecot-sysreport-imap.linexus.de-1700427979.tar.gz,
>> > > application/x-compressed-tar]
>> > > _______________________________________________
>> > > dovecot mailing list -- dovecot@dovecot.org
>> > > To unsubscribe send an email to dovecot-le...@dovecot.org
>> > _______________________________________________
>> > dovecot mailing list -- dovecot@dovecot.org
>> > To unsubscribe send an email to dovecot-le...@dovecot.org
>>
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
