Bug 1615058
Summary: | f28 dovecot-2.2.36-1.fc28.x86_64 won't allow imap login from f27 thunderbird | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Doug Maxey <bz> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 28 | CC: | anon.amish, bennie.joubert, dan, dwalsh, janfrode, lvrabec, mgrepl, mhlavink, plautrba, pmoore, pokorra.mailinglists | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.14.1-42.fc28 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1615236 (view as bug list) | Environment: | ||
Last Closed: | 2018-09-11 16:56:29 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Doug Maxey
2018-08-11 23:24:46 UTC
do you have selinux enabled? could you try to reproduce this with selinux in permissive mode? thanks How does one enable permissive for just dovecot? (In reply to Michal Hlavinka from comment #1) > do you have selinux enabled? > could you try to reproduce this with selinux in permissive mode? > thanks It took the big hammer, as I could not successfully just enable permissive for dovecot related auths, but 'setenforce 0' did enable logging in from thunderbird. So it is a selinux issue. See related bug 1615236. Check if you see any related selinux messages: # journalctl -b | grep denied Option -b limits messages to "since last boot", so it expects that you tried to reproduce this since last boot, to get the messages. With permissive mode you can get more messages (if there is more than 1 problem, with selinux in enforcing, it would stop after the first one and not log the second denial). This should help selinux maintainers to fix this. Also please check what selinux-policy version do you have installed. Anyway, reassigning to selinux. nothing at all selinux related, either in messages or audit.log. I tried to remove the dontaudit for the dovecot related policies # for d in dovecot_auth_t dovecot_deliver_t dovecot_t; do echo $d:; semanage permissive -a $d; done syncing...done dovecot_auth_t: OSError: [Errno 93] Protocol not supported dovecot_deliver_t: OSError: [Errno 93] Protocol not supported dovecot_t: OSError: [Errno 93] Protocol not supported Also tried semodule -DB; start dovecot; stop dovecot; semodule -B with no AVC indications at all. (In reply to Doug Maxey from comment #6) > ***nothing at all*** selinux related, either in messages or audit.log. > > I tried to remove the dontaudit for the dovecot related policies > > # for d in dovecot_auth_t dovecot_deliver_t dovecot_t; do echo $d:; > semanage permissive -a $d; done >... > > Also tried > semodule -DB; start dovecot; stop dovecot; semodule -B > > with no AVC indications at all. meh. A very long time ago, was getting loads of audit spam, and found that disabling auditd with the kernel line 'audit=0' worked. Never backed it out, so it has been in effect for over a year. Removing that commandline option has enabled the successful use of semanage permissive. Trying it all again to gather messages... :/ Now have a message when thunderbird attempts to connect # ausearch -m AVC -ts recent ---- time->Tue Aug 14 22:50:24 2018 type=AVC msg=audit(1534305024.157:310): avc: denied { dac_override } for pid=2436 comm="auth" capability=1 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability permissive=1 More avcs while running permissive with dontaudit disabled: ausearch -m AVC,USER_AVC,SELINUX_ERR -ts "14:44:33" -i |tee /var/log/audit/dovecot ---- type=AVC msg=audit(08/16/2018 14:44:45.736:936) : avc: denied { noatsecure } for pid=17639 comm=sendmail scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.737:937) : avc: denied { rlimitinh } for pid=17639 comm=dovecot-lda scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.737:938) : avc: denied { siginh } for pid=17639 comm=dovecot-lda scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.745:939) : avc: denied { dac_override } for pid=17547 comm=auth capability=dac_override scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.747:940) : avc: denied { noatsecure } for pid=17640 comm=dovecot scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.747:941) : avc: denied { rlimitinh } for pid=17640 comm=auth scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.747:942) : avc: denied { siginh } for pid=17640 comm=auth scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 ---- With permissive still set for things dovecot, turned off dontaudit long enough to capture more details. Sent an email, and started thunderbird. Here is the results when passed through audit2allow: # ausearch -m AVC -i -ts recent |audit2allow -m dovecot > dovecot.te # cat dovecot.te module dovecot 1.0; require { type chkpwd_t; type sendmail_t; type dovecot_deliver_t; type dovecot_t; type dovecot_auth_t; class process { noatsecure rlimitinh siginh }; class capability dac_override; } #============= dovecot_auth_t ============== #!!!! This avc has a dontaudit rule in the current policy allow dovecot_auth_t chkpwd_t:process { noatsecure rlimitinh siginh }; allow dovecot_auth_t self:capability dac_override; #============= dovecot_t ============== #!!!! This avc has a dontaudit rule in the current policy allow dovecot_t dovecot_auth_t:process { noatsecure rlimitinh siginh }; #============= sendmail_t ============== #!!!! This avc has a dontaudit rule in the current policy allow sendmail_t dovecot_deliver_t:process { noatsecure rlimitinh siginh }; selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217 selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217 I keep my /etc files in a local git repo. With this update installed, see this: . M etc/selinux/config D etc/selinux/targeted/.policy.sha512 D etc/selinux/targeted/booleans.subs_dist D etc/selinux/targeted/contexts/customizable_types D etc/selinux/targeted/contexts/dbus_contexts D etc/selinux/targeted/contexts/default_contexts D etc/selinux/targeted/contexts/default_type D etc/selinux/targeted/contexts/failsafe_context D etc/selinux/targeted/contexts/files/file_contexts D etc/selinux/targeted/contexts/files/file_contexts.homedirs D etc/selinux/targeted/contexts/files/file_contexts.local D etc/selinux/targeted/contexts/files/file_contexts.subs D etc/selinux/targeted/contexts/files/file_contexts.subs_dist D etc/selinux/targeted/contexts/files/media D etc/selinux/targeted/contexts/initrc_context D etc/selinux/targeted/contexts/lxc_contexts D etc/selinux/targeted/contexts/openssh_contexts D etc/selinux/targeted/contexts/removable_context D etc/selinux/targeted/contexts/securetty_types D etc/selinux/targeted/contexts/sepgsql_contexts D etc/selinux/targeted/contexts/snapperd_contexts D etc/selinux/targeted/contexts/systemd_contexts D etc/selinux/targeted/contexts/userhelper_context D etc/selinux/targeted/contexts/users/guest_u D etc/selinux/targeted/contexts/users/root D etc/selinux/targeted/contexts/users/staff_u D etc/selinux/targeted/contexts/users/sysadm_u D etc/selinux/targeted/contexts/users/unconfined_u D etc/selinux/targeted/contexts/users/user_u D etc/selinux/targeted/contexts/users/xguest_u D etc/selinux/targeted/contexts/virtual_domain_context D etc/selinux/targeted/contexts/virtual_image_context D etc/selinux/targeted/contexts/x_contexts D etc/selinux/targeted/setrans.conf D etc/selinux/targeted/seusers D usr/bin/sepolgen-ifgen D usr/bin/sepolicy ?? etc/selinux/targeted/contexts/files/file_contexts.local.rpmsave Is this expected? (In reply to Doug Maxey from comment #13) Disregard the above. See where I used a wrong invocation for the update. selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |