Bug 1152773

Summary: SELinux message on dovecot login
Product: Red Hat Enterprise Linux 7 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 7.0CC: mmalik, orion, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-7.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:46:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2014-10-14 22:46:12 UTC 
Description of problem:

I want to have dovecot be able to create user's home directory when they log into IMAP.  There appear to be other issues with oddjob-mkhomedir (bug #1098616) and it is not working with setenfor 0, but I am also seeing various AVCs that I think are related:

type=AVC msg=audit(1413325979.636:200): avc:  denied  { search } for  pid=2446 comm="auth" name="systemd" dev="tmpfs" ino=6824 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
type=USER_AVC msg=audit(1413326107.169:206): pid=660 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=2561 tpid=659 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1413326107.205:208): pid=660 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.15 spid=659 tpid=2561 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1413326107.205:209): avc:  denied  { write } for  pid=2561 comm="auth" path="/run/systemd/sessions/c1.ref" dev="tmpfs" ino=24651 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=fifo_file

# find /run/ -inum 6824
/run/systemd


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7.noarch
dovecot-2.2.10-4.el7.x86_64
oddjob-mkhomedir-0.31.5-3.el7.x86_64
Comment 2 Orion Poplawski 2014-10-14 23:00:33 UTC 
Actually, does seem to be working now in enforcing with some dovecot tweaks.  False alarm.

I do get this on every login though:

type=AVC msg=audit(1413327524.377:1246): avc:  denied  { search } for  pid=4079 comm="auth" name="systemd" dev="tmpfs" ino=6824 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
Comment 4 Miroslav Grepl 2014-11-03 08:12:47 UTC 
commit f36db22a6d246c3226cfca7128e529b9f6f2e90b
Author: Miroslav Grepl <mgrepl>
Date:   Mon Nov 3 09:08:25 2014 +0100

    Allow dovecot to create user's home directory when they log into IMAP.
Comment 6 Milos Malik 2014-12-17 15:57:00 UTC 
Hi Orion, could you re-test the scenario and use following RPMs:

 * http://people.redhat.com/dwalsh/SELinux/RHEL7/noarch/
Comment 8 Orion Poplawski 2014-12-26 23:37:37 UTC 
Some things have changed with my configuration, but I don't see any denials with selinux-policy-3.12.1-153.el7_0.13.noarch.  Thanks!

As an aside, I got this when updating:

warning: file /etc/selinux/targeted/modules/active/modules/pkcsslotd.pp: remove failed: No such file or directory

One other question while I have you :), setsebool -P no longer appears to set the running configuration.  Is that expected?
Comment 9 Milos Malik 2015-01-04 10:03:09 UTC 
The pkcsslotd.pp problem is addressed in BZ#1169434.
Comment 10 Milos Malik 2015-01-04 10:07:50 UTC 
What do you mean by "set the running configuration"? It should set the permanent state (what is default after reboot) and should not change the temporary state (what is default before reboot).
Comment 11 Orion Poplawski 2015-01-05 17:42:47 UTC 
Okay, so it's expected.  I had thought the behavior used to be different, but maybe not.
Comment 13 errata-xmlrpc 2015-03-05 10:46:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html