Created attachment 1441897 [details] /etc/dovecot.conf config file Description of problem: Hello, I have a rather standard dovecot config (attached) that ran fine under F27, but after upgrading to F28 I received an selinux error when starting the service: ---- time->Sat May 26 13:21:20 2018 type=AVC msg=audit(1527340880.376:524): avc: denied { dac_override } for pid=3429 comm="dovecot" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 ---- time->Sat May 26 13:21:20 2018 type=AVC msg=audit(1527340880.377:525): avc: denied { dac_override } for pid=3429 comm="dovecot" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 The corresponding journal entries for dovecot: May 26 13:21:20 server.com systemd[1]: Starting Dovecot IMAP/POP3 email server... May 26 13:21:20 server.com dovecot[3429]: Error: bind(/var/spool/postfix/private/dovecot-lmtp) failed: Permission denied May 26 13:21:20 server.com dovecot[3429]: Error: service(lmtp): net_listen_unix(/var/spool/postfix/private/dovecot-lmtp) failed: Permission denied May 26 13:21:20 server.com dovecot[3429]: master: Error: bind(/var/spool/postfix/private/dovecot-lmtp) failed: Permission denied May 26 13:21:20 server.com dovecot[3429]: Error: bind(/var/spool/postfix/private/auth) failed: Permission denied May 26 13:21:20 server.com dovecot[3429]: Error: service(auth): net_listen_unix(/var/spool/postfix/private/auth) failed: Permission denied May 26 13:21:20 server.com dovecot[3429]: Fatal: Failed to start listeners May 26 13:21:20 server.com dovecot[3429]: master: Error: service(lmtp): net_listen_unix(/var/spool/postfix/private/dovecot-lmtp) failed: Permission denied May 26 13:21:20 server.com dovecot[3429]: master: Error: bind(/var/spool/postfix/private/auth) failed: Permission denied May 26 13:21:20 server.com dovecot[3429]: master: Error: service(auth): net_listen_unix(/var/spool/postfix/private/auth) failed: Permission denied May 26 13:21:20 server.com dovecot[3429]: master: Fatal: Failed to start listeners May 26 13:21:20 server.com systemd[1]: dovecot.service: Control process exited, code=exited status=89 May 26 13:21:20 server.com systemd[1]: dovecot.service: Failed with result 'exit-code'. May 26 13:21:20 server.com systemd[1]: Failed to start Dovecot IMAP/POP3 email server. I was able to fix the problem by creating the following selinux module: ------- module dovecot_selfcapability_dacOverride 1.0; require { type dovecot_t; class capability dac_override; } #============= dovecot_t ============== allow dovecot_t self:capability dac_override; ------- Version-Release number of selected component (if applicable): selinux-policy-3.14.1-29.fc28.noarch selinux-policy-targeted-3.14.1-29.fc28.noarch dovecot-2.2.35-2.fc28.x86_64 How reproducible: Always Steps to Reproduce: 1. Try to start dovecot using the default config or the one attached to this report 2. 3. Actual results: Selinux error Expected results: Service starts Additional info:
same error here using cyrus deliver (which is a curys-imap process) cannot connect to /var/lib/imap/socket/lmtp since last update allowing dac_override fix it (with also pb accessing /proc/<pid> files Module MyCyrus 1.0; require { type init_t; type cyrus_t; class capability dac_override; class file { open read }; } #============= cyrus_t ============== allow cyrus_t init_t:file { open read }; allow cyrus_t self:capability dac_override; Version-Release number of selected component selinux-policy-3.14.1-25.fc28.noarch selinux-policy-targeted-3.14.1-25.fc28.noarch cyrus-imapd-3.0.5-7.fc28.x86_64
*** This bug has been marked as a duplicate of bug 1578872 ***