Bug 158086
Summary: | dovecot won't start from init script due to selinux errors | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Thomas J. Baker <tjb> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | andreas.w.simon, athompso, sergey_udaltsov |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-07-02 19:41:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Thomas J. Baker
2005-05-18 15:09:00 UTC
chcon -t dovecot_cert_t /etc/pki/dovecot/dovecot.pem Should fix it. I will modify policy to fix this problem. selinux-policy-*-1.23.16-4 I did the chcon and have the new policy and it still fails: [tjb@wintermute policy]# ls -lZ /etc/pki/dovecot/dovecot.pem -rw------- root root system_u:object_r:dovecot_cert_t /etc/pki/dovecot/dovecot.pem [tjb@wintermute policy]# type=AVC msg=audit(1116596209.572:5451329): avc: denied { read } for name=dovecot.pem dev=dm-0 ino=200601 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file type=SYSCALL msg=audit(1116596209.572:5451329): syscall=21 arch=c000003e success=no exit=-13 a0=521588 a1=4 a2=410e77 a3=6f items=1 pid=8022 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot exe=/usr/sbin/dovecot type=PATH msg=audit(1116596209.572:5451329): item=0 name="/etc/pki/dovecot/private/dovecot.pem" inode=200601 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 P.S. The thing I don't understand is that if I start it by hand, just "dovecot" as root, it works fine. chcon -R -t dovecot_cert_t /etc/pki/dovecot When you run the service out of the service script it is protected via SELinux, when you run it by hand directly it runs under the default context. (Unconfined_t). Actually restorecon -R -v /etc/pki should fix it also. Dan Still no dice: [tjb@wintermute tjb]# restorecon -R -v /etc/pki restorecon reset /etc/pki/dovecot/dovecot.pem context system_u:object_r:dovecot_cert_t->system_u:object_r:cert_t [tjb@wintermute tjb]# /etc/init.d/dovecot stop Stopping Dovecot Imap: [ OK ] [tjb@wintermute tjb]# /etc/init.d/dovecot start Starting Dovecot Imap: [FAILED] [tjb@wintermute tjb]# type=AVC msg=audit(1116598755.720:12031051): avc: denied { read } for name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file type=SYSCALL msg=audit(1116598755.720:12031051): syscall=21 arch=c000003e success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=10363 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot exe=/usr/sbin/dovecot type=PATH msg=audit(1116598755.720:12031051): item=0 name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 On running from the init script versus command line, how is the context applied when running from the script? The daemon command invokes a new context and somehow dovecot policy is applied to it? (Excuse the lack of better terms...) Ok we have a problem in policy then. /etc/pki/dovecot do chcon -R -t dovecot_cert_t /etc/pki/dovecot And it should work. I will look at policy but the restorecon should have done the equivalent. The rules say that when running an init script say unconfined_t -> initrc_exec_t -> initrc_t initrc_t -> dovecot_exec_t -> dovecot_t ls -lZ /etc/init.d/dovecot -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/init.d/dovecot When run directly unconfined_t -> dovecot_exec_t -> unconfined_t I had the same problem here. chcon -R -t dovecot_cert_t /etc/pki/dovecot fixed the issue here. Dovecot now starts fine from the init.d script. This is with selinux-policy-targeted-1.23.16-6. (Dovecot still can't actually access my mails, but this seems to be unrelated to this bug, because my mails are on a reiserfs partition, which is known to not work with selinux. I expect this issue to go away when I change my /home to ext3 this weekend: type=PATH msg=audit(1117146764.477:4455248): item=0 name="/home/andreas" inode=3 dev=fd:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00 type=SYSCALL msg=audit(1117146764.477:4455248): arch=40000003 syscall=12 success=no exit=-13 a0=9e21653 a1=0 a2=3e8 a3=9e20f9c items=1 pid=3236 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" type=AVC msg=audit(1117146764.477:4455248): avc: denied { search } for pid=3236 comm="dovecot" name=andreas dev=dm-2 ino=3 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:file_t tclass=dir ) Thanks. FYI, running FC4-release (fully updated as of right now). selinux-policy-targeted is somehow fubar'd with respect to the /etc/pki/dovecot/* entries. I have selinux-policy-targeted-source installed, and have manually verified that the policy appears to be correct: /etc/selinux/targeted/src/policy/file_contexts/file_contexts:/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t ...but running restorecon (or setfiles) does NOT correctly apply that context: [root@server selinux]# cd /etc/pki/dovecot/ [root@server dovecot]# ls -lZ -rw-r--r-- root root system_u:object_r:cert_t dovecot-openssl.cnf -rw------- root root system_u:object_r:cert_t dovecot.pem drwxr-xr-x root root system_u:object_r:cert_t private/ Now, if I do "chcon -R -t dovecot_cert_t .", everything seems just fine. Question is, why/how is targeted policy broken and not applying properly? There is an ordering problem in the file_context file. This is fixed in selinux-policy-targeted-1.23.18-17.src.rpm Seems fixed to me. Others concur? |