On my CentOS 7 system I am trying to run dovecot with TLS required. For that, I created my private key and certificate in
[root@homeserver /]# ls -lZ indernet/cert/homeserver.*
-r--r--r--. root certuser system_u:object_r:default_t:s0 indernet/cert/homeserver.crt
-r--r-----. root certuser system_u:object_r:default_t:s0 indernet/cert/homeserver.key
[root@homeserver /]#
To make dovecot actually load the files I ensured /etc/dovecot/conf.d/10-ssl.conf contains these lines:
ssl=required
ssl_key=</indernet/cert/homeserver.key
ssl_cert=</indernet/cert/homeserver.crt
The problematic part: Dovecot cannot start up, it fails with this error:
dovecot: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 14: ssl_key: Can't open file /indernet/cert/homeserver.key: Permission denied
I tried to modify the certificate's and key's file permissions (this should not be required according to https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/), even to 777 and nothing changes. Someone suggested me it might be SELinux preventing the access and I configured unconfined_u:object_r:default_t:s0 as well as system_u:object_r:default_t:s0 as you can see above. No change.
Now the surprising part: I got very curious and edited /usr/lib/systemd/system/dovecot.service to contain
ExecStart=/bin/strace /usr/sbin/dovecot
and then in /var/log/messages I could see the cert and key getting accessed and loaded. And dovecot works. But when I remove the strace again, I am left with the same problem.
What may be going on here?