SELinux dovecot permission denied on cert files

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alr13cc.org

I ran this command: doveadm sudo auth test magicman@alr13cc.org

It produced this output: passdb: magicman@alr13cc.org auth failed
extra fields:
user=magicman@alr13cc.org
code=temp_fail

log message:
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/archive/mail.alr13cc.org/fullchain1.pem: Permission denied

My web server is (include version): nginx/1.20.1

The operating system my web server runs on is (include version): Rocky Linux 9

My hosting provider, if applicable, is: Cloud Server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 4.0.0

When I set SELinux to passive the command works. I tried setting the link and archive context to:

semanage fcontext -a -u system_u -r object_r -t cert_t '/etc/letsencrypt/live/mail.alr13cc.org/fullchain.pem'
That doesn't work at all completes with error:
usage: semanage [-h]
{import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
semanage: error: unrecognized arguments: -u /etc/letsencrypt/live/mail.alr13cc.org/fullchain.pem
Then I used chcon:

chcon --reference /etc/pki/dovecot/certs/dovecot.pem /etc/letsencrypt/live/mail.alr13cc.org/fullchain.pem
does not work with link context is:
lrwxrwxrwx. 1 root root unconfined_u:object_r:etc_t:s0 45 Apr 22 12:11 /etc/letsencrypt/live/mail.alr13cc.org/fullchain.pem -> ../../archive/mail.alr13cc.org/fullchain1.pem
used archive version (assume doing that will mess up updates):
chcon -u system_u -r object_r -t cert_t /etc/letsencrypt/archive/mail.alr13cc.org/fullchain1.pem
sets the context I'm looking for but also does not work.

The only thing working is to set SELinux to permissive which is not an option for me.

There has go to be a way to fix this.

I know very little about SELinux, but in general it's best to not mess with the internal structure of certbot's /etc/letsencrypt directory tree. You probably want to use a --deploy-hook in certbot to run a script that run whenever a new certificate is created, to copy it to somewhere else on your system and apply whatever permissions you need to apply to it there.

I suggest you to look into the audit log, and search specifically the avc denied log entries.