Bug 160679

Summary: Dovecot fails to start
Product: [Fedora] Fedora Reporter: John Horne <john.horne>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: athompso, ivazqueznet, tss, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: dovecot-0.99.14-7.fc4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-05 05:37:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Horne 2005-06-16 16:05:56 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
Performed an initial installation of FC4. Moved certificates from a working FC3 system to /etc/pki/dovecot on the FC4 system. Starting dovecot using 'service dovecot start' it fails. No output shown, and nothing in log files.

If I start dovecot from the command line using '/usr/sbin/dovecot' then it works fine ('ps auxww|grep -i dove' shows imap-login and dovecot-auth processes.

Version-Release number of selected component (if applicable):
dovecot-0.99.14-4.fc4

How reproducible:
Always

Steps to Reproduce:
1.Install FC4
2.start up system or run 'service dovecot start'
3.
  

Actual Results:  Nothing - dovecot hadn't started.

Expected Results:  dovecot should start up - imap-login processes should be started.

Additional info:

I changed /etc/init.d/dovecot to run strace on /usr/sbin/dovecot. The last part of the output shows:

==================================================================
open("/etc/passwd", O_RDONLY)           = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=1735, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =     0xb7f99000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1735
close(3)                                = 0
munmap(0xb7f99000, 4096)                = 0
open("/etc/passwd", O_RDONLY)           = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=1735, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =     0xb7f99000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1735
close(3)                                = 0
munmap(0xb7f99000, 4096)                = 0
access("/usr/libexec/dovecot/imap-login", X_OK) = 0
access("/usr/libexec/dovecot/imap", X_OK) = 0
access("/etc/pki/dovecot/dovecot.pem", R_OK) = -1 EACCES (Permission denied)
write(2, "Fatal: ", 7)                  = 7
write(2, "Can\'t use SSL certificate /etc/p"..., 73) = 73
write(2, "\n", 1)                       = 1
exit_group(89)                          = ?
==================================================================


Permission on /etc/pki/dovecot/dovecot.pem is mode 0600, owned by root:root.

Whereas an strace on running dovecot from the cli shows:


==================================================================
open("/etc/passwd", O_RDONLY)           = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=1735, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =     0xb7fec000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1735
close(3)                                = 0
munmap(0xb7fec000, 4096)                = 0
access("/usr/libexec/dovecot/imap-login", X_OK) = 0
access("/usr/libexec/dovecot/imap", X_OK) = 0
access("/etc/pki/dovecot/dovecot.pem", R_OK) = 0
access("/etc/pki/dovecot/private/dovecot.pem", R_OK) = 0
getegid32()                             = 0
lstat64("/var/run/dovecot", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
open("/var/run/dovecot", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
close(3)                                = 0
lstat64("/var/run/dovecot", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
open(".", O_RDONLY|O_LARGEFILE)         = 3
open("/var/run/dovecot-login", O_RDONLY|O_LARGEFILE|O_NOFOLLOW) = 4
fchdir(4)
==================================================================
Comment 1 John Horne 2005-06-16 16:08:17 UTC 
Sorry, should have added: I saw the bugzilla report 160277 but the suggested
workaround did not work (even after modifying /etc/dovecot.conf to specify the
new location of the certificates).
Comment 2 John Dennis 2005-06-16 19:36:58 UTC 
FYI, more info in bug #160277

mkcert.sh should not have set the /etc/pki/dovecot/dovecot.pem permissions to
0600 like it did to the key file /etc/pki/dovecot/private/dovecot.pem

fixed in dovecot-0.99.14-7.fc4
Comment 3 John Horne 2005-06-17 10:24:56 UTC 
No, this still doesn't work. What permissions should be set on
/etc/pki/dovecot/dovecot.pem ? I have set them to 644. My dovecot.conf
explicitly sets the path for the ssl certificates so that is not the problem.

On rebooting I get a message:

   Unable to use SSL ceritifcate /etc/pki/dovecot/dovecot.pem: permission denied.

It doesn't appear in any log file. If I disabled SElinux then dovecot starts up
okay, so I think there is something else amiss (in selinux).
Comment 4 John Horne 2005-06-17 10:47:02 UTC 
Found this in the /var/log/audit/audit.log file (it's been wrapped by me for
more readability):

==================================================================
  type=PATH msg=audit(1119005044.051:4751493): item=0 
     name="/etc/pki/dovecot/dovecot.pem" inode=1345808 dev=09:02 mode=0100644 
     ouid=0 ogid=0 rdev=00:00
  type=SYSCALL msg=audit(1119005044.051:4751493): arch=40000003 syscall=33 
     success=no exit=-13 a0=9ba72e8 a1=4 a2=0 a3=0 items=1 pid=3808 
     auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
     comm="dovecot" exe="/usr/sbin/dovecot"
  type=AVC msg=audit(1119005044.051:4751493): avc:  denied  { read } for  
     pid=3808 comm="dovecot" name=dovecot.pem dev=md2 ino=1345808 
     scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t 
     tclass=file
==================================================================

This occurred when I tried to start dovecot using 'service dovecot start'.
Comment 5 John Dennis 2005-06-17 15:05:55 UTC 
O.K. thanks for the info, I was going to ask you to check the audit log but you
beat me to it. Indeed this is a problem not with dovecot but the SELinux
security policy. I'm changing the component this bug is filed against to reflect
that. In the interim you can disable SELinux until we get you a new security
policy fix.
Comment 6 John Horne 2005-06-17 16:03:37 UTC 
Okay, many thanks for this.
Comment 7 Mark Eisenstat 2005-06-21 06:15:23 UTC 
This can be solved by editing the FC4 policy and adding the following to
file_contexts/program/dovecot.fc:

/etc/pki/dovecot/dovecot\.pem   --      system_u:object_r:dovecot_cert_t
/etc/pki/dovecot/private/dovecot\.pem   --      system_u:object_r:dovecot_cert_t
Comment 8 John Horne 2005-06-21 10:09:50 UTC 
What dovecot.fc? Running 'locate dovecot.fc' shows nothing.
Comment 9 Daniel Walsh 2005-06-26 11:30:59 UTC 
Fixed in selinux-policy-targeted-1.23.18-12
Comment 10 Adam Thompson 2005-06-26 14:38:16 UTC 
No, it's not fixed in selinux-policy-targeted-1.23.18-12.  It *looks* fixed but
isn't for some reason (unless I'm missing something fundamental).

See dup bug # 161174.

(P.S. why aren't selinux-policy bugs flagged as "security"?)
Comment 11 jørgen nørgaard 2005-06-30 11:48:34 UTC 
selinux-policy-targeted-1.23.18-17 does not allow dovecot to start if under SELinux protection


starting dovecot fails and the following is in the messages log:

Jun 30 13:38:15 ifs kernel: audit(1120131495.899:58): avc:  denied  { search } for  pid=10496 
comm="dovecot" name=root dev=md1 ino=8126465 scontext
=root:system_r:dovecot_t tcontext=system_u:object_r:default_t tclass=dir


ls -lZ /etc/pki/dovecot/*
-rw-r--r--  root     root     system_u:object_r:dovecot_cert_t /etc/pki/dovecot/dovecot-openssl.cnf
-rw-------  root     root     system_u:object_r:dovecot_cert_t /etc/pki/dovecot/dovecot.pem

/etc/pki/dovecot/private:
-rw-------  root     root     system_u:object_r:dovecot_cert_t dovecot.pem

This is on an opteron system, updated FC3->FC4.
Comment 12 Daniel Walsh 2005-07-02 19:48:12 UTC 
This looks like a labeling problem.  Did you run the machine as selinux=0?  You
can relabel by typeing

touch /.autorelabel
reboot
Comment 13 John Horne 2005-07-04 10:06:46 UTC 
No the machines were never run with selinux=0. However, I have rebooted one
system (with the new kernel kernel-2.6.12-1.1387_FC4) and dovecot started up
with no problems. As far as I remember - sorry but I've been trying different
things to sort this out, so I got a little lost as to what I had/had not tried -
I did run 'restorecon -R /etc'. I don't think the kernel upgrade has anything to
do with it, but perhaps the restorecon and then the reboot was what was required.

I've just restarted a second system and that too has dovecot starting with no
problems (I ran restorecon on that one too).
Comment 14 Rahul Sundaram 2005-09-05 05:37:23 UTC 
A policy update fixes this issue but requires a relabelling after that. If you
perform that it works fine. Closing