Dovecot SELinux MailDir permission denied

Question

I have dovecot installed on CentOS 7.1. In the past, I have often just disabled SELinux, but now I want to have a server with SELinux that works for me. Anyhow, I have mail stored in /home/USER/Maildir, and for reasons I don't understand I get the following error:

Jul 25 22:32:03 server dovecot: imap(dean): Error: open(/home/dean/Maildir/dovecot.index.log) failed: Permission denied (euid=1000(dean) egid=1000(dean) missing +r perm: /home/dean/Maildir/dovecot.index.log stat(/home/dean/Maildir/dovecot.index.log) failed: Permission denied)
Jul 25 22:32:03 server dovecot: imap(dean): Error: file_dotlock_create(/home/dean/Maildir/dovecot-uidlist) failed: Permission denied (euid=1000(dean) egid=1000(dean) missing +w perm: /home/dean/Maildir, UNIX perms appear ok (ACL/MAC wrong?))

I checked SELinux using:

grep -i AVC /var/log/audit/audit.log

And found:

 avc:  denied  { read write } for  pid=13443 comm="imap" name="dovecot-uidlist" dev="dm-2" ino=1051352 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 
type=AVC msg=audit(1437859923.579:147270): avc:  denied  { read } for  pid=13443 comm="imap" name="dovecot-uidlist" dev="dm-2" ino=1051352 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 
type=AVC msg=audit(1437860132.705:147592): avc:  denied  { read append } for  pid=13630 comm="imap" name="dovecot.index.log" dev="dm-2" ino=1051357 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 
type=AVC msg=audit(1437860132.705:147593): avc:  denied  { read } for  pid=13630 comm="imap" name="dovecot.index.log" dev="dm-2" ino=1051357 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 
type=AVC msg=audit(1437860132.706:147594): avc:  denied  { read } for  pid=13630 comm="imap" name="dovecot.index.log" dev="dm-2" ino=1051357 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 
type=AVC msg=audit(1437860132.706:147595): avc:  denied  { getattr } for  pid=13630 comm="imap" path="/home/dean/Maildir/dovecot.index.log" dev="dm-2" ino=1051357 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 
type=AVC msg=audit(1437860132.707:147596): avc:  denied  { write } for  pid=13630 comm="imap" name="Maildir" dev="dm-2" ino=1048660 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir 
type=AVC msg=audit(1437860132.707:147597): avc:  denied  { write } for  pid=13630 comm="imap" name="Maildir" dev="dm-2" ino=1048660 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir 
type=AVC msg=audit(1437860132.707:147598): avc:  denied  { read write } for  pid=13630 comm="imap" name="dovecot-uidlist" dev="dm-2" ino=1051352 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 
type=AVC msg=audit(1437860132.707:147599): avc:  denied  { read } for  pid=13630 comm="imap" name="dovecot-uidlist" dev="dm-2" ino=1051352 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

I really do not know how to proceed to sort this. I do want to have SELinux, but I haven't found a solution to this. Can someone help?

Answer 1

The first thing to point out is that the solution is not to disable SELinux but to work with it.

There are tools that you can use to determine wat you need to do and the good news is that they are much improved in CentOS 7.1 compared to their earlier versions.

First run audit2why on the AVC messages you have gathered

audit2why <FileContainingMessages

If things go well, it will provide you with a list of the denied messages and what you need to do to resolve them.

If that doesn't give you a direct answer it will likely point you at audit2allow.

In your particular case I'm fairly sure that audir2why will provide you with a suitable answer.