Bug 2043599
| Summary: | postfix cannot use certs stored in dovecot certs directory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.5 | CC: | lvrabec, mmalik, pkoncity, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.6 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-92.el8 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-10 15:15:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
We currently have these types or certificates:
# seinfo -xa cert_type
Type Attributes: 1
attribute cert_type;
cert_t
dovecot_cert_t
fwupd_cert_t
home_cert_t (not in rhel8)
ipa_cert_t (in ipa-selinux)
pki_tomcat_cert_t
slapd_cert_t
Hi Renaud, please can you reproduce the scenario again and attach here full AVC's messages in permissive mode? Steps to enable full auditing and permissive SELinux mode: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Open the /etc/selinux/config file in an editor. change line SELINUX=enforcing to SELINUX=permissive 6) Re-run your scenario 7) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Thank you, Patrik I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1068 Allowing access to dovecot_cert_t only, given the output in #c1 I don't think there is a reason to read other certificates. To backport:
commit 03e93e0ddd2b3c41138bd3cbc20ea7bd61f58502 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Fri Feb 11 17:48:59 2022 +0100
Allow postfix_domain read dovecot certificates
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |
Description of problem: When configuring smtpd to use certs stored in dovecot's certs directory, the following AVCs are seen: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(01/19/2022 17:27:01.181:7173515) : proctitle=smtpd -n smtps -t inet -u -o stress= -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o type=SYSCALL msg=audit(01/19/2022 17:27:01.181:7173515) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x56000dcbef00 a2=O_RDONLY a3=0x0 items=0 ppid=1870242 pid=1914640 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(01/19/2022 17:27:01.181:7173515) : avc: denied { search } for pid=1914640 comm=smtpd name=dovecot dev="dm-0" ino=67970523 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dovecot_cert_t:s0 tclass=dir permissive=0 ... -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- audit2allow shows: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- #============= postfix_smtpd_t ============== allow postfix_smtpd_t dovecot_cert_t:dir search; allow postfix_smtpd_t dovecot_cert_t:file getattr; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This happens because postfix policy only have this: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- miscfiles_read_generic_certs(postfix_domain) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- which ends up reading cert_t stuff only. I think it's harmless to allow postfix from reading all kind of certs, something like this: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- miscfiles_read_all_certs(postfix_domain) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Version-Release number of selected component (if applicable): selinux-policy-3.14.3-80.el8_5.2.noarch How reproducible: Always Steps to Reproduce: 1. Configure postfix for TLS usage and store certs in dovecot dir /etc/postfix/main.cf: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- smtpd_tls_cert_file = /etc/pki/dovecot/certs/some.cert smtpd_tls_key_file = /etc/pki/dovecot/certs/some.key -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Actual results: AVCs above. Expected results: No AVC Additional info: If allowing all certs is too much from security perspective, then an attribute for "mailer certs" should be created instead. For now dovecot_cert_t registered through "miscfiles_cert_type(dovecot_cert_t)"