Bug 1765897

Summary: Dovecot not able to read filesystem quota
Product: [Fedora] Fedora Reporter: Marek Greško <marek.gresko>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.4-40.fc31.noarch Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-17 01:12:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Greško 2019-10-27 05:15:31 UTC 
Description of problem:
Selinux is preventing dovecot from reading filesystem quota

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.3-46.fc30.noarch


How reproducible:


Steps to Reproduce:
1. enable quota plugin in dovecot:   quota = fs:User quota
2. start dovecot
3. access the maildir

Actual results:
AVC avc:  denied  { quotaget } for  pid=7538 comm="imap" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0

Expected results:
Dovecot is able to read filesystem quota.

Additional info:
Comment 1 Lukas Vrabec 2019-10-29 09:38:18 UTC 
commit 2f6f911dab62b01aa1c417bc168b56d53510c8d3 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 29 10:28:45 2019 +0100

    Allow dovecot get filesystem quotas
    
    Allow processes labeled as dovecot_t domain to use quota plugin.
    
    Resolves: rhbz#1765897
Comment 2 Fedora Update System 2019-11-03 14:10:35 UTC 
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
Comment 3 Fedora Update System 2019-11-04 02:09:59 UTC 
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
Comment 4 Marek Greško 2019-11-05 22:18:57 UTC 
Unfortunately, in the meantime I upgraded to Fedora 31. I am no longer able to test F30 packages. The problem is present in Fedora 31.
Comment 5 Lukas Vrabec 2019-11-06 08:44:05 UTC 
Marek, 

What is output of:

# rpm -q selinux-policy 

THanks,
Lukas.
Comment 6 Marek Greško 2019-11-06 19:13:35 UTC 
selinux-policy-3.14.4-39.fc31.noarch
Comment 7 Lukas Vrabec 2019-11-07 12:24:01 UTC 
Hi Marek, 

# sesearch -A -s dovecot_t -t fs_t -c filesystem 
allow dovecot_t filesystem_type:filesystem { getattr quotaget };

# rpm -q selinux-policy 
selinux-policy-3.14.4-40.fc31.noarch

It's fixed in the latest selinux-policy rpm package. You can install form updates-testing before it will be moved to the updates repository. 

# dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-aec8f7ab50

Thanks,
Lukas.
Comment 8 Marek Greško 2019-11-07 16:54:49 UTC 
Hi,

I confirm that selinux-policy-3.14.4-40.fc31.noarch fixes the problem.

Thanks

Marek
Comment 9 Fedora Update System 2019-11-17 01:12:54 UTC 
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.