1

On an OpenSUSE Tumbleweed host, updated this morning. After the update and a reboot, every attempt to start dovecot fails with Can't open log file /var/log/dovecot: Permission denied

cat /etc/os-release includes VERSION_ID="20180314" /usr/sbin/dovecot --version yields 2.3.0.1 (ffd8a29)

Dovecot packages currently installed start with dovecot-2.3-1.1 and dovecot23-2.3.0.1-2.1. I'm not sure what version was installed before the update, but it could not have been more than a week old. The update did not generate any .rpmnew or similar files.

Nothing in /etc/dovecot has changed in more than a year, and this problem is new today.

The non-comment lines from /etc/dovecot/conf.d/10-logging.conf:

log_path = /var/log/dovecot
auth_verbose = yes
auth_verbose_passwords = no
auth_debug = no
auth_debug_passwords = no
mail_debug = yes
plugin {
}
log_timestamp = "%Y-%m%b-%d%a.%H-%M-%S.%Z"
  • I've relaxed permissions on /var/log/dovecot* to 777
  • I've relaxed permissions on /var/log to 775
  • I've disabled SELinux with setenforce 0
  • I've disabled apparmor with service apparmor stop (and confirmed with service apparmor status)
  • I've tried changing ownership of /var/log/dovecot* to mail and dovecot
  • I've renamed var/log/dovecot to var/log/dovecot.old

output of ls -al /var/log/dovecot*:

-rwxrwxrwx 1 root root       10666 Aug 16  2016 /var/log/dovecot.debug
-rwxrwxrwx 1 root root        1483 Aug 16  2016 /var/log/dovecot.info
-rwxrwxrwx 1 root root 34118709509 Mar 17 12:28 /var/log/dovecot.old

The volume is not full (64%).

Why is dovecot denied permission to open its log, and how do I grant it?

ShadSterling
  • 143
  • 9
  • 33 GB of logs? Do you ever think about log rotation? Try to `touch /var/log/dovecot && service dovecot restart` – Kondybas Mar 17 '18 at 18:50
  • Yeah, I'll fix that as soon as I get dovecot to run at all again. `/var/log/dovecot` was created with mode `600`, and `service dovecot restart` failed again. Changing it to `777` didn't help. – ShadSterling Mar 17 '18 at 18:56
  • Do not rely on the config files as they can be overridden later. Actual config can be extracted by `doveconf -n` (non-default values) or `doveconf -a` (full actual config) – Kondybas Mar 17 '18 at 19:01
  • `doveconf -n` shows the same `log_path` and `log_timestamp`, omits the others from `10-logging.conf`. Are there other settings that need to be checked? – ShadSterling Mar 17 '18 at 19:06
  • Perhaps /var/log/dovecot should now be a directory owned by dovecot? Dovecot probably fails to create files in /var/log. – Gerard H. Pille Mar 18 '18 at 03:39
  • If I make it a directory, dovecot fails with `Can't open log file /var/log/dovecot: Is a directory` – ShadSterling Mar 18 '18 at 04:44
  • The problem may not be limited to dovecot; it briefly affected Exim as well, but now it's back to only affecting Dovecot – ShadSterling Mar 18 '18 at 04:45
  • Do you need a "doveadm log reopen" on openSuse? – Gerard H. Pille Mar 18 '18 at 07:19
  • @GerardH.Pille Apparently I do. Care to make that an answer? How could I have found that myself? – ShadSterling Mar 18 '18 at 15:15
  • ... No, that's not enough. I tried to restart it again, got the same failure, and now `doveadm log reopen` fails with `Fatal: Dovecot is not running (read from /var/run/dovecot/master.pid)` – ShadSterling Mar 18 '18 at 15:37
  • Starting to look like it might be apparmor; like even if the apparmor service isn't running, if it's been started since a reboot, after some delay after apparmor is started, even if it's been stopped since, dovecot fails with that error. – ShadSterling Mar 18 '18 at 16:33
  • 1
    Looks like the apparmor profile for dovecot disallows /var/log/dovecot, perhaps under the assumption that dovecot will use syslog. But when I configure dovecot to use syslog, nothing is logged. – ShadSterling Mar 18 '18 at 17:32
  • I don't know apparmor, or selinux (if they are related). Configure dovecot for syslog, start it and run doveadm again to get info about the logging. – Gerard H. Pille Mar 18 '18 at 18:15
  • You mean like information from `doveadm log find`, which was `Looking for log files from /var/log Debug: Not found Info: Not found Warning: Not found Error: Not found Fatal: Not found`? – ShadSterling Mar 18 '18 at 18:39
  • That was indeed what I wanted to see, apart from the results. :-( Something I forgot, I just verified to see if openSuse had also fallen for systemd, and indeed it has. Does "systemctl status dovecot" or "journalctl -u dovecot" give us something to work with? – Gerard H. Pille Mar 18 '18 at 20:08
  • 1
    Same problem here. The issue has been reported ([Bug 1087753](https://bugzilla.opensuse.org/show_bug.cgi?id=1087753)) on the openSUSE Bugzilla. I also think it may be a problem with AppArmor, as there was a similar problem a while back—see [Bug 1069470](https://bugzilla.opensuse.org/show_bug.cgi?id=1069470). – Psychonaut Apr 02 '18 at 12:44

1 Answers1

0

It looks like OpenSUSE updated the default apparmor profile for dovecot to one that prevents it from functioning in several ways. Preventing it from logging outside of syslog appears to be intentional, but that's not clearly the case with the others.

To restore functionality, I had to add permissions in several files in /etc/apparmor.d/local/:

  • usr.lib.dovecot.auth

        /run/dovecot/old-stats-user w,

  • usr.lib.dovecot.config

        /var/lib/dovecot/ssl-parameters.dat r,
    capability dac_read_search,

  • usr.lib.dovecot.log

        /var/log/dovecot w,

  • usr.sbin.dovecot

        /usr/lib/dovecot/stats ix,
    /var/log/dovecot w,

The w permission is needed for logs because apparmor denies ac and as far as I can tell there's no way to allow permission for c. I couldn't find any indication that there exists documentation with a list of open permissions, so there may be another way to allow "create and append" other than w.

I used the ix permission for stats rather than Px because there is no apparmor.d/user.lib.dovecot.stats to include corresponding file in /etc/apparmor.d/local, and I thought it better to confine my edits to local.

All of this has been noted in OpenSUSE Bug #1087753, linked in @Psychonaut's comment on the question; it's possible OpenSUSE will improve the defaults in a future update.

None of this addresses the problem that logging to syslog doesn't work, but the above changes do seem to have dovecot functioning normally again.

ShadSterling
  • 143
  • 9
  • The update to apparmor 3.0.1 broke this again, but this time changing `/etc/dovecot/conf.d/10-logging.conf` to set `log_path = syslog` works; syslog wasn't working with dovecot when I first posted this, now logs are accessible with `journalctl -u dovecot` – ShadSterling Dec 14 '20 at 06:22