Bug 1026851
Summary: | selinux with procmail and doveadm | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | W Agtail <crash70> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 19 | CC: | alanh, dominick.grift, dwalsh, lvrabec, mgrepl |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-74.26.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-27 02:23:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
W Agtail
2013-11-05 14:24:37 UTC
67495866261f40c83ffa292eae51e1f9f0e22879 fixes this in git. Hello, I have updated selinux to: rpm -qa|grep selinux libselinux-python-2.1.13-15.fc19.x86_64 selinux-policy-3.12.1-74.16.fc19.noarch selinux-policy-targeted-3.12.1-74.16.fc19.noarch libselinux-2.1.13-15.fc19.x86_64 libselinux-2.1.13-15.fc19.i686 libselinux-utils-2.1.13-15.fc19.x86_64 The changelog in selinux-policy mentions: - Allow procmail_t to connect to dovecot stream sockets From my initial comments above, SELinux is still reporting the the following (same as above): Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveadm from getattr access on the file /etc/dovecot/dovecot.conf. Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. Dec 29 12:50:05 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d. The only exception from my initial comments, is SELinux no longer reports: SELinux is preventing /usr/bin/doveadm from write access on the sock_file auth-userdb. Kind Regards. Hi, any progress with this one? Thanks There's a similar issue with Dovecot's dovecot-lda. This is the recommended method for using procmail to deliver mail to Dovecot Maildirs, in order to update indexes and message flags correctly. See http://wiki2.dovecot.org/procmail This causes AVC denials. audit2allow: #============= procmail_t ============== allow procmail_t dovecot_deliver_exec_t:file { read open }; allow procmail_t dovecot_etc_t:dir read; allow procmail_t dovecot_etc_t:file { read getattr open }; audit2allow -R: require { type dovecot_etc_t; type procmail_t; class file { read getattr open }; class dir read; } #============= procmail_t ============== allow procmail_t dovecot_etc_t:dir read; allow procmail_t dovecot_etc_t:file { read getattr open }; mta_mailserver_delivery(procmail_t) e265e07f056bd749658f1fe8951ab59cccad0a95 fixes this in git. back ported. selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.19.fc19 Package selinux-policy-3.12.1-74.19.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3030/selinux-policy-3.12.1-74.19.fc19 then log in and leave karma (feedback). Hi, I have updated selinux-policy.
> rpm -q selinux-policy
selinux-policy-3.12.1-74.19.fc19.noarch
It would appear procmail requires access to the dovecot config files:
/etc/dovecot/dovecot.conf
/etc/dovecot/conf.d
/etc/dovecot/conf.d/*
Example:
SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that doveconf should be allowed read access on the conf.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveconf /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:procmail_t:s0
Target Context system_u:object_r:dovecot_etc_t:s0
Target Objects /etc/dovecot/conf.d [ dir ]
Source doveconf
Source Path /usr/bin/doveconf
Port <Unknown>
Host f19
Source RPM Packages dovecot-2.2.10-1.fc19.x86_64
Target RPM Packages dovecot-2.2.10-1.fc19.x86_64
Policy RPM selinux-policy-3.12.1-74.19.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name f19
Platform Linux f19 3.12.11-201.fc19.x86_64 #1 SMP
Fri Feb 14 19:08:33 UTC 2014 x86_64 x86_64
Alert Count 9
First Seen 2014-03-14 07:19:27 GMT
Last Seen 2014-03-15 09:01:10 GMT
Local ID 241029c0-4788-4980-93d1-c8634a0fc6af
Raw Audit Messages
type=AVC msg=audit(1394874070.303:11216): avc: denied { read } for pid=23061 comm="doveconf" name="conf.d" dev="md3" ino=2738 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1394874070.303:11216): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fff561f8c90 a2=90800 a3=0 items=0 ppid=23056 pid=23061 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null)
Hash: doveconf,procmail_t,dovecot_etc_t,dir,read
Could selinux-policy be updated to accommodate this?
Thanks
selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Reopened as per comment 10. Thanks commit 2fab7cb23d316770184f8b6e714be5d82cdf0ca3 fixes this in git. back ported. selinux-policy-3.12.1-74.23.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.23.fc19 Package selinux-policy-3.12.1-74.23.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.23.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4216/selinux-policy-3.12.1-74.23.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19 selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |