On an OpenSUSE Tumbleweed host, updated this morning. After the update and a reboot, every attempt to start dovecot fails with Can't open log file /var/log/dovecot: Permission denied
cat /etc/os-release
includes VERSION_ID="20180314"
/usr/sbin/dovecot --version
yields 2.3.0.1 (ffd8a29)
Dovecot packages currently installed start with dovecot-2.3-1.1
and dovecot23-2.3.0.1-2.1
. I'm not sure what version was installed before the update, but it could not have been more than a week old. The update did not generate any .rpmnew
or similar files.
Nothing in /etc/dovecot
has changed in more than a year, and this problem is new today.
The non-comment lines from /etc/dovecot/conf.d/10-logging.conf
:
log_path = /var/log/dovecot
auth_verbose = yes
auth_verbose_passwords = no
auth_debug = no
auth_debug_passwords = no
mail_debug = yes
plugin {
}
log_timestamp = "%Y-%m%b-%d%a.%H-%M-%S.%Z"
- I've relaxed permissions on
/var/log/dovecot*
to777
- I've relaxed permissions on
/var/log
to775
- I've disabled SELinux with
setenforce 0
- I've disabled apparmor with
service apparmor stop
(and confirmed withservice apparmor status
) - I've tried changing ownership of
/var/log/dovecot*
tomail
anddovecot
- I've renamed
var/log/dovecot
tovar/log/dovecot.old
output of ls -al /var/log/dovecot*
:
-rwxrwxrwx 1 root root 10666 Aug 16 2016 /var/log/dovecot.debug
-rwxrwxrwx 1 root root 1483 Aug 16 2016 /var/log/dovecot.info
-rwxrwxrwx 1 root root 34118709509 Mar 17 12:28 /var/log/dovecot.old
The volume is not full (64%).
Why is dovecot denied permission to open its log, and how do I grant it?
Best Answer
It looks like OpenSUSE updated the default apparmor profile for dovecot to one that prevents it from functioning in several ways. Preventing it from logging outside of syslog appears to be intentional, but that's not clearly the case with the others.
To restore functionality, I had to add permissions in several files in
/etc/apparmor.d/local/
:usr.lib.dovecot.auth
usr.lib.dovecot.config
usr.lib.dovecot.log
usr.sbin.dovecot
The
w
permission is needed for logs because apparmor deniesac
and as far as I can tell there's no way to allow permission forc
. I couldn't find any indication that there exists documentation with a list of open permissions, so there may be another way to allow "create and append" other thanw
.I used the
ix
permission for stats rather thanPx
because there is noapparmor.d/user.lib.dovecot.stats
to include corresponding file in/etc/apparmor.d/local
, and I thought it better to confine my edits to local.All of this has been noted in OpenSUSE Bug #1087753, linked in @Psychonaut's comment on the question; it's possible OpenSUSE will improve the defaults in a future update.
None of this addresses the problem that logging to syslog doesn't work, but the above changes do seem to have dovecot functioning normally again.