Linux – Dovecot can’t open log after upgrade

dovecotfile-permissionslinuxopensuse

On an OpenSUSE Tumbleweed host, updated this morning. After the update and a reboot, every attempt to start dovecot fails with Can't open log file /var/log/dovecot: Permission denied

cat /etc/os-release includes VERSION_ID="20180314"
/usr/sbin/dovecot --version yields 2.3.0.1 (ffd8a29)

Dovecot packages currently installed start with dovecot-2.3-1.1 and dovecot23-2.3.0.1-2.1. I'm not sure what version was installed before the update, but it could not have been more than a week old. The update did not generate any .rpmnew or similar files.

Nothing in /etc/dovecot has changed in more than a year, and this problem is new today.

The non-comment lines from /etc/dovecot/conf.d/10-logging.conf:

log_path = /var/log/dovecot
auth_verbose = yes
auth_verbose_passwords = no
auth_debug = no
auth_debug_passwords = no
mail_debug = yes
plugin {
}
log_timestamp = "%Y-%m%b-%d%a.%H-%M-%S.%Z"

I've relaxed permissions on /var/log/dovecot* to 777
I've relaxed permissions on /var/log to 775
I've disabled SELinux with setenforce 0
I've disabled apparmor with service apparmor stop (and confirmed with service apparmor status)
I've tried changing ownership of /var/log/dovecot* to mail and dovecot
I've renamed var/log/dovecot to var/log/dovecot.old

output of ls -al /var/log/dovecot*:

-rwxrwxrwx 1 root root       10666 Aug 16  2016 /var/log/dovecot.debug
-rwxrwxrwx 1 root root        1483 Aug 16  2016 /var/log/dovecot.info
-rwxrwxrwx 1 root root 34118709509 Mar 17 12:28 /var/log/dovecot.old

The volume is not full (64%).

Why is dovecot denied permission to open its log, and how do I grant it?

Best Answer

It looks like OpenSUSE updated the default apparmor profile for dovecot to one that prevents it from functioning in several ways. Preventing it from logging outside of syslog appears to be intentional, but that's not clearly the case with the others.

To restore functionality, I had to add permissions in several files in /etc/apparmor.d/local/:

usr.lib.dovecot.auth
```
    /run/dovecot/old-stats-user w,
```

usr.lib.dovecot.config

    /var/lib/dovecot/ssl-parameters.dat r,
    capability dac_read_search,

usr.lib.dovecot.log
```
    /var/log/dovecot w,
```

usr.sbin.dovecot

    /usr/lib/dovecot/stats ix,
    /var/log/dovecot w,

The w permission is needed for logs because apparmor denies ac and as far as I can tell there's no way to allow permission for c. I couldn't find any indication that there exists documentation with a list of open permissions, so there may be another way to allow "create and append" other than w.

I used the ix permission for stats rather than Px because there is no apparmor.d/user.lib.dovecot.stats to include corresponding file in /etc/apparmor.d/local, and I thought it better to confine my edits to local.

All of this has been noted in OpenSUSE Bug #1087753, linked in @Psychonaut's comment on the question; it's possible OpenSUSE will improve the defaults in a future update.

None of this addresses the problem that logging to syslog doesn't work, but the above changes do seem to have dovecot functioning normally again.

Best Answer

Related Solutions

Centos – permissions error: dovecot log

Unable to receive any emails using postfix, dovecot, thesql, and virtual domain/mailboxes

Related Topic