Bug 160679
Summary: | Dovecot fails to start | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Horne <john.horne> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | athompso, ivazqueznet, tss, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | dovecot-0.99.14-7.fc4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-09-05 05:37:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Horne
2005-06-16 16:05:56 UTC
Sorry, should have added: I saw the bugzilla report 160277 but the suggested workaround did not work (even after modifying /etc/dovecot.conf to specify the new location of the certificates). FYI, more info in bug #160277 mkcert.sh should not have set the /etc/pki/dovecot/dovecot.pem permissions to 0600 like it did to the key file /etc/pki/dovecot/private/dovecot.pem fixed in dovecot-0.99.14-7.fc4 No, this still doesn't work. What permissions should be set on /etc/pki/dovecot/dovecot.pem ? I have set them to 644. My dovecot.conf explicitly sets the path for the ssl certificates so that is not the problem. On rebooting I get a message: Unable to use SSL ceritifcate /etc/pki/dovecot/dovecot.pem: permission denied. It doesn't appear in any log file. If I disabled SElinux then dovecot starts up okay, so I think there is something else amiss (in selinux). Found this in the /var/log/audit/audit.log file (it's been wrapped by me for more readability): ================================================================== type=PATH msg=audit(1119005044.051:4751493): item=0 name="/etc/pki/dovecot/dovecot.pem" inode=1345808 dev=09:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1119005044.051:4751493): arch=40000003 syscall=33 success=no exit=-13 a0=9ba72e8 a1=4 a2=0 a3=0 items=1 pid=3808 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" type=AVC msg=audit(1119005044.051:4751493): avc: denied { read } for pid=3808 comm="dovecot" name=dovecot.pem dev=md2 ino=1345808 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file ================================================================== This occurred when I tried to start dovecot using 'service dovecot start'. O.K. thanks for the info, I was going to ask you to check the audit log but you beat me to it. Indeed this is a problem not with dovecot but the SELinux security policy. I'm changing the component this bug is filed against to reflect that. In the interim you can disable SELinux until we get you a new security policy fix. Okay, many thanks for this. This can be solved by editing the FC4 policy and adding the following to file_contexts/program/dovecot.fc: /etc/pki/dovecot/dovecot\.pem -- system_u:object_r:dovecot_cert_t /etc/pki/dovecot/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t What dovecot.fc? Running 'locate dovecot.fc' shows nothing. Fixed in selinux-policy-targeted-1.23.18-12 No, it's not fixed in selinux-policy-targeted-1.23.18-12. It *looks* fixed but isn't for some reason (unless I'm missing something fundamental). See dup bug # 161174. (P.S. why aren't selinux-policy bugs flagged as "security"?) selinux-policy-targeted-1.23.18-17 does not allow dovecot to start if under SELinux protection starting dovecot fails and the following is in the messages log: Jun 30 13:38:15 ifs kernel: audit(1120131495.899:58): avc: denied { search } for pid=10496 comm="dovecot" name=root dev=md1 ino=8126465 scontext =root:system_r:dovecot_t tcontext=system_u:object_r:default_t tclass=dir ls -lZ /etc/pki/dovecot/* -rw-r--r-- root root system_u:object_r:dovecot_cert_t /etc/pki/dovecot/dovecot-openssl.cnf -rw------- root root system_u:object_r:dovecot_cert_t /etc/pki/dovecot/dovecot.pem /etc/pki/dovecot/private: -rw------- root root system_u:object_r:dovecot_cert_t dovecot.pem This is on an opteron system, updated FC3->FC4. This looks like a labeling problem. Did you run the machine as selinux=0? You can relabel by typeing touch /.autorelabel reboot No the machines were never run with selinux=0. However, I have rebooted one system (with the new kernel kernel-2.6.12-1.1387_FC4) and dovecot started up with no problems. As far as I remember - sorry but I've been trying different things to sort this out, so I got a little lost as to what I had/had not tried - I did run 'restorecon -R /etc'. I don't think the kernel upgrade has anything to do with it, but perhaps the restorecon and then the reboot was what was required. I've just restarted a second system and that too has dovecot starting with no problems (I ran restorecon on that one too). A policy update fixes this issue but requires a relabelling after that. If you perform that it works fine. Closing |