Hide Forgot
Description of problem: Starting the dovecot service on rawhide results in failed status with the following errors: Fatal: Dovecot is already running? Socket already exists: /var/run/dovecot/login/ipc-proxy master: Fatal: Dovecot is already running? Socket already exists: /var/run/dovecot/login/ipc-proxy Version-Release number of selected component (if applicable): # rpm -qa dovecot dovecot-2.2.33.2-3.fc28.x86_64 How reproducible: Always Steps to Reproduce: 1. dnf install dovecot 2. systemctl start dovecot 3. Actual results: # systemctl status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2018-03-26 14:17:28 EDT; 10min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Process: 21914 ExecStart=/usr/sbin/dovecot (code=exited, status=89) Process: 21908 ExecStartPre=/usr/libexec/dovecot/prestartscript (code=exited, status=0/SUCCESS) Mar 26 14:17:28 qeos-40.lab.eng.rdu2.redhat.com systemd[1]: Starting Dovecot IMAP/POP3 email server... Mar 26 14:17:28 qeos-40.lab.eng.rdu2.redhat.com dovecot[21914]: Fatal: Dovecot is already running? Socket already exists: /var/run/dovecot/login/ipc-proxy Mar 26 14:17:28 qeos-40.lab.eng.rdu2.redhat.com dovecot[21914]: master: Fatal: Dovecot is already running? Socket already exists: /var/run/dovecot/login/ipc-proxy Mar 26 14:17:28 qeos-40.lab.eng.rdu2.redhat.com systemd[1]: dovecot.service: Control process exited, code=exited status=89 Mar 26 14:17:28 qeos-40.lab.eng.rdu2.redhat.com systemd[1]: dovecot.service: Failed with result 'exit-code'. Mar 26 14:17:28 qeos-40.lab.eng.rdu2.redhat.com systemd[1]: Failed to start Dovecot IMAP/POP3 email server. Expected results: dovecot starts without errors Additional info:
The problem seems to be related to SELinux. Mar 27 10:41:40 localhost.localdomain audit[19283]: AVC avc: denied { dac_override } for pid=19283 comm="dovecot" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0> Mar 27 10:41:40 localhost.localdomain dovecot[19283]: Fatal: Dovecot is already running? Socket already exists: /var/run/dovecot/login/ipc-proxy Mar 27 10:41:40 localhost.localdomain dovecot[19283]: master: Fatal: Dovecot is already running? Socket already exists: /var/run/dovecot/login/ipc-proxy Mar 27 10:41:40 localhost.localdomain systemd[1]: dovecot.service: Control process exited, code=exited status=89 Mar 27 10:41:40 localhost.localdomain systemd[1]: dovecot.service: Failed with result 'exit-code'. Mar 27 10:41:40 localhost.localdomain systemd[1]: Failed to start Dovecot IMAP/POP3 email server. -- Subject: Unit dovecot.service has failed # grep denied /var/log/audit/audit.log type=AVC msg=audit(1522147124.529:381): avc: denied { dac_override } for pid=17826 comm="dovecot" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 And my guess it is related to BZ#1508960
Same here. Stopped working after upgrading from F27.
As a workaround, I have added the following local SELinux policy: # cat dovecot-local.cil (typeattributeset cil_gen_require dovecot_auth_t) (typeattributeset cil_gen_require dovecot_t) (typeattributeset cil_gen_require init_t) (allow dovecot_auth_t init_t (dbus (send_msg))) (allow dovecot_t self (capability (dac_override)))
I have dovecot configured as auth agent for postfix: # cat /etc/dovecot/conf.d/10-master-local.conf service imap-login { inet_listener imap { port=0 } } service auth { unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } In my case, the AVC denials are: type=AVC msg=audit(1525288703.471:253): avc: denied { dac_override } for pid=1404 comm="dovecot" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 and the dovecot errors: May 02 21:18:23 localhost.localdomain systemd[1]: Starting Dovecot IMAP/POP3 email server... May 02 21:18:23 localhost.localdomain dovecot[1404]: Error: bind(/var/spool/postfix/private/auth) failed: Permission denied May 02 21:18:23 localhost.localdomain dovecot[1404]: master: Error: bind(/var/spool/postfix/private/auth) failed: Permission denied May 02 21:18:23 localhost.localdomain dovecot[1404]: Error: service(auth): net_listen_unix(/var/spool/postfix/private/auth) failed: Permission denied May 02 21:18:23 localhost.localdomain dovecot[1404]: master: Error: service(auth): net_listen_unix(/var/spool/postfix/private/auth) failed: Permission denied May 02 21:18:23 localhost.localdomain dovecot[1404]: Fatal: Failed to start listeners May 02 21:18:23 localhost.localdomain dovecot[1404]: master: Fatal: Failed to start listeners May 02 21:18:23 localhost.localdomain systemd[1]: dovecot.service: Control process exited, code=exited status=89 May 02 21:18:23 localhost.localdomain systemd[1]: dovecot.service: Failed with result 'exit-code'. May 02 21:18:23 localhost.localdomain systemd[1]: Failed to start Dovecot IMAP/POP3 email server.
Milos, Could you look on this BZ please? it's same story with DAC_OVERRIDE. Thanks, Lukas.
*** Bug 1568510 has been marked as a duplicate of this bug. ***
Hi, This is more issue on dovecot side than SELinux, problem here is that process dovecot is owned by root:root. Socket /var/run/dovecot/login/ipc-proxy is owned by dovenull:root and SELinux requires proper permissions on filesystem even if root could bypass all permissions. Kernel use 'group' for check permissions and mode is 600, and process trying access this socket so it should be changed.
*** This bug has been marked as a duplicate of bug 1578872 ***