Bug 1026851

Summary: selinux with procmail and doveadm
Product: [Fedora] Fedora Reporter: W Agtail <crash70>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 19CC: alanh, dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-74.26.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-27 02:23:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W Agtail 2013-11-05 14:24:37 UTC
Description of problem:
selinux is preventing doveadm to be ran with procmail.

Version-Release number of selected component (if applicable):
libselinux-python-2.1.13-15.fc19.x86_64
libselinux-2.1.13-15.fc19.x86_64
libselinux-2.1.13-15.fc19.i686
selinux-policy-3.12.1-74.11.fc19.noarch
dovecot-2.2.6-1.fc19.x86_64
libselinux-utils-2.1.13-15.fc19.x86_64
procmail-3.22-32.fc19.x86_64
selinux-policy-targeted-3.12.1-74.11.fc19.noarch

How reproducible:
Always

Steps to Reproduce:
1. configure /home/fred/.procmailrc for user fred with the following example:
:0
| doveadm expunge -u fred mailbox Trash savedbefore 1d

Actual results:
Interestingly, selinux notifications are only generated when selinux is set to Permissive.

The following selinux alerts are generated:
SELinux is preventing /usr/bin/doveadm from getattr access on the file /etc/dovecot/dovecot.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveadm should be allowed getattr access on the dovecot.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_etc_t:s0
Target Objects                /etc/dovecot/dovecot.conf [ file ]
Source                        doveadm
Source Path                   /usr/bin/doveadm
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Target RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f19
Platform                      Linux f19 3.11.6-200.fc19.x86_64 #1 SMP
                              Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-11-04 20:02:26 GMT
Last Seen                     2013-11-05 13:58:17 GMT
Local ID                      54c4c7c5-9002-406e-a5cd-d0f1ae559875

Raw Audit Messages
type=AVC msg=audit(1383659897.894:31753): avc:  denied  { getattr } for  pid=8979 comm="doveadm" path="/etc/dovecot/dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file


type=SYSCALL msg=audit(1383659897.894:31753): arch=x86_64 syscall=stat success=yes exit=0 a0=7f1a841889f0 a1=7fff68f05310 a2=7fff68f05310 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveadm exe=/usr/bin/doveadm subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveadm,procmail_t,dovecot_etc_t,file,getattr

SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveconf should be allowed read access on the dovecot.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveconf /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_etc_t:s0
Target Objects                /etc/dovecot/dovecot.conf [ file ]
Source                        doveconf
Source Path                   /usr/bin/doveconf
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Target RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f19
Platform                      Linux f19 3.11.6-200.fc19.x86_64 #1 SMP
                              Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-11-04 20:02:26 GMT
Last Seen                     2013-11-05 13:58:17 GMT
Local ID                      0a08af9c-4bf7-4335-be5a-d2efe6dfe037

Raw Audit Messages
type=AVC msg=audit(1383659897.895:31754): avc:  denied  { read } for  pid=8979 comm="doveconf" name="dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file


type=AVC msg=audit(1383659897.895:31754): avc:  denied  { open } for  pid=8979 comm="doveconf" path="/etc/dovecot/dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file


type=SYSCALL msg=audit(1383659897.895:31754): arch=x86_64 syscall=open success=yes exit=ENXIO a0=7f765f11b850 a1=0 a2=7f765f113080 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveconf,procmail_t,dovecot_etc_t,file,read

SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveconf should be allowed read access on the conf.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveconf /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_etc_t:s0
Target Objects                /etc/dovecot/conf.d [ dir ]
Source                        doveconf
Source Path                   /usr/bin/doveconf
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Target RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f19
Platform                      Linux f19 3.11.6-200.fc19.x86_64 #1 SMP
                              Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-11-04 20:02:26 GMT
Last Seen                     2013-11-05 13:58:17 GMT
Local ID                      d0d14259-d9fb-48e5-bde3-9ee408cd3971

Raw Audit Messages
type=AVC msg=audit(1383659897.895:31755): avc:  denied  { read } for  pid=8979 comm="doveconf" name="conf.d" dev="md3" ino=2738 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir


type=SYSCALL msg=audit(1383659897.895:31755): arch=x86_64 syscall=openat success=yes exit=E2BIG a0=ffffffffffffff9c a1=7ffffc01d480 a2=90800 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveconf,procmail_t,dovecot_etc_t,dir,read

SELinux is preventing /usr/bin/doveadm from write access on the sock_file auth-userdb.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveadm should be allowed write access on the auth-userdb sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_var_run_t:s0
Target Objects                auth-userdb [ sock_file ]
Source                        doveadm
Source Path                   /usr/bin/doveadm
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f19
Platform                      Linux f19 3.11.6-200.fc19.x86_64 #1 SMP
                              Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-11-04 20:02:26 GMT
Last Seen                     2013-11-05 13:58:17 GMT
Local ID                      ed68f348-116f-42a4-9991-643b24140186

Raw Audit Messages
type=AVC msg=audit(1383659897.908:31756): avc:  denied  { write } for  pid=8979 comm="doveadm" name="auth-userdb" dev="tmpfs" ino=28773 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_var_run_t:s0 tclass=sock_file


type=AVC msg=audit(1383659897.908:31756): avc:  denied  { connectto } for  pid=8979 comm="doveadm" path="/run/dovecot/auth-userdb" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1383659897.908:31756): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7fff453a0ed0 a2=6e a3=1 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveadm exe=/usr/bin/doveadm subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveadm,procmail_t,dovecot_var_run_t,sock_file,write



Expected results:
doveadm to be called via procmailrc without any sealerts.


Additional info:


Thank you

Comment 1 Daniel Walsh 2013-11-11 19:08:16 UTC
67495866261f40c83ffa292eae51e1f9f0e22879 fixes this in git.

Comment 3 W Agtail 2013-12-29 13:30:52 UTC
Hello, I have updated selinux to: rpm -qa|grep selinux
libselinux-python-2.1.13-15.fc19.x86_64
selinux-policy-3.12.1-74.16.fc19.noarch
selinux-policy-targeted-3.12.1-74.16.fc19.noarch
libselinux-2.1.13-15.fc19.x86_64
libselinux-2.1.13-15.fc19.i686
libselinux-utils-2.1.13-15.fc19.x86_64

The changelog in selinux-policy mentions:
- Allow procmail_t to connect to dovecot stream sockets

From my initial comments above, SELinux is still reporting the the following (same as above):
Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveadm from getattr access on the file /etc/dovecot/dovecot.conf. 
Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. 
Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. 
Dec 29 12:50:05 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d. 

The only exception from my initial comments, is SELinux no longer reports:
SELinux is preventing /usr/bin/doveadm from write access on the sock_file auth-userdb.

Kind Regards.

Comment 4 W Agtail 2014-02-01 20:15:05 UTC
Hi, any progress with this one? Thanks

Comment 5 Alan Hamilton 2014-02-12 18:15:14 UTC
There's a similar issue with Dovecot's dovecot-lda. This is the recommended method for using procmail to deliver mail to Dovecot Maildirs, in order to update indexes and message flags correctly. See http://wiki2.dovecot.org/procmail

This causes AVC denials.

audit2allow:
#============= procmail_t ==============
allow procmail_t dovecot_deliver_exec_t:file { read open };
allow procmail_t dovecot_etc_t:dir read;
allow procmail_t dovecot_etc_t:file { read getattr open };


audit2allow -R:
require {
        type dovecot_etc_t;
        type procmail_t;
        class file { read getattr open };
        class dir read;
}

#============= procmail_t ==============
allow procmail_t dovecot_etc_t:dir read;
allow procmail_t dovecot_etc_t:file { read getattr open };
mta_mailserver_delivery(procmail_t)

Comment 6 Daniel Walsh 2014-02-14 17:55:49 UTC
e265e07f056bd749658f1fe8951ab59cccad0a95 fixes this in git.

Comment 7 Lukas Vrabec 2014-02-15 23:22:16 UTC
back ported.

Comment 8 Fedora Update System 2014-02-24 13:16:31 UTC
selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.19.fc19

Comment 9 Fedora Update System 2014-02-25 07:45:14 UTC
Package selinux-policy-3.12.1-74.19.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3030/selinux-policy-3.12.1-74.19.fc19
then log in and leave karma (feedback).

Comment 10 W Agtail 2014-03-15 13:38:57 UTC
Hi, I have updated selinux-policy.

> rpm -q selinux-policy
selinux-policy-3.12.1-74.19.fc19.noarch

It would appear procmail requires access to the dovecot config files:
/etc/dovecot/dovecot.conf
/etc/dovecot/conf.d
/etc/dovecot/conf.d/*

Example:

SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveconf should be allowed read access on the conf.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveconf /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_etc_t:s0
Target Objects                /etc/dovecot/conf.d [ dir ]
Source                        doveconf
Source Path                   /usr/bin/doveconf
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.10-1.fc19.x86_64
Target RPM Packages           dovecot-2.2.10-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.19.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f19
Platform                      Linux f19 3.12.11-201.fc19.x86_64 #1 SMP
                              Fri Feb 14 19:08:33 UTC 2014 x86_64 x86_64
Alert Count                   9
First Seen                    2014-03-14 07:19:27 GMT
Last Seen                     2014-03-15 09:01:10 GMT
Local ID                      241029c0-4788-4980-93d1-c8634a0fc6af

Raw Audit Messages
type=AVC msg=audit(1394874070.303:11216): avc:  denied  { read } for  pid=23061 comm="doveconf" name="conf.d" dev="md3" ino=2738 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir


type=SYSCALL msg=audit(1394874070.303:11216): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fff561f8c90 a2=90800 a3=0 items=0 ppid=23056 pid=23061 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveconf,procmail_t,dovecot_etc_t,dir,read

Could selinux-policy be updated to accommodate this?
Thanks

Comment 11 Fedora Update System 2014-03-15 15:22:14 UTC
selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 W Agtail 2014-03-15 16:26:32 UTC
Reopened as per comment 10. Thanks

Comment 13 Daniel Walsh 2014-03-16 20:09:30 UTC
commit 2fab7cb23d316770184f8b6e714be5d82cdf0ca3 fixes this in git.

Comment 14 Lukas Vrabec 2014-03-17 10:10:01 UTC
back ported.

Comment 15 Fedora Update System 2014-03-21 14:36:00 UTC
selinux-policy-3.12.1-74.23.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.23.fc19

Comment 16 Fedora Update System 2014-03-22 05:09:21 UTC
Package selinux-policy-3.12.1-74.23.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.23.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4216/selinux-policy-3.12.1-74.23.fc19
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2014-05-07 16:25:58 UTC
selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19

Comment 18 Fedora Update System 2014-06-27 02:23:07 UTC
selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.