Bug 2165863
| Summary: | Dovecot SELinux policy incorrect to incomplete for /var/spool/dovecot/ | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Colin.Simpson |
| Component: | selinux-policy | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Amith <apeetham> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.1 | CC: | lvrabec, mmalik, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.1.15-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-07 08:52:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2023-06-13 | ||
|
Description
Colin.Simpson
2023-01-31 09:48:38 UTC
Hi Colin, this is the only change in the config? What version of Dovecot it is? Can you reproduce the issue in permissive mode with full auditing enabled and attach AVC denials? Do: # setenforce 0 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Thank you, Nikola My dovecot is the latest shipped
dovecot-2.3.16-7.el9.x86_64
The only really relevant setup change for this scenario is in 10-mail.conf:
mail_location = mbox:/var/spool/dovecot/%u/:INBOX=/var/mail/%u
namespace inbox {
# Namespace type: private, shared or public
type = private
Other than this it's just imap and ssl.
Other setup:
mkdir /var/spool/dovecot/
restorecon -F /var/spool/dovecot/
chmod 1777 /var/spool/dovecot
And the mailbox permission change that dovecot wants:
chgrp csimpson /var/spool/mail/csimpson
If you start dovecot now and connect via IMAP, create a new folder it all works.
You seem to get an AVC denial when you try to move or copy an email from the mailbox into the new IMAP folder.
type=AVC msg=audit(1675504583.374:230): avc: denied { map } for pid=5833 comm="imap" path="/var/spool/dovecot/csimpson/.imap/INBOX/dovecot.index.cache" dev="dm-0" ino=50556101 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_spool_t:s0 tclass=file permissive=1
cat /var/log/audit/audit.log | audit2allow
#============= dovecot_t ==============
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow dovecot_t dovecot_spool_t:file map;
Thanks you PR: https://github.com/fedora-selinux/selinux-policy/pull/1592 As discussed today, the requested permission seem to be legitimate given the current status:
rhel93# sesearch -A -s dovecot_deliver_t -t dovecot_spool_t -c file
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow mailserver_delivery dovecot_spool_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
rhel93# sesearch -A -s dovecot_deliver_t -t dovecot_spool_t -c dir
allow mailserver_delivery dovecot_spool_t:dir { add_name getattr ioctl lock open read remove_name search write };
Amith, can you add the permissions and test again in SELinux enforcing?
rhel93# cat local_dovecot.cil
(allow dovecot_deliver_t dovecot_spool_t (file (map)))
(allow dovecot_deliver_t dovecot_spool_t (dir (create)))
rhel93# semodule -i local_dovecot.cil
(In reply to Zdenek Pytela from comment #12) > As discussed today, the requested permission seem to be legitimate given the > current status: > > rhel93# sesearch -A -s dovecot_deliver_t -t dovecot_spool_t -c file > allow domain file_type:file map; [ domain_can_mmap_files ]:True > allow mailserver_delivery dovecot_spool_t:file { append create getattr ioctl > link lock open read rename setattr unlink watch watch_reads write }; > > rhel93# sesearch -A -s dovecot_deliver_t -t dovecot_spool_t -c dir > allow mailserver_delivery dovecot_spool_t:dir { add_name getattr ioctl lock > open read remove_name search write }; > > Amith, can you add the permissions and test again in SELinux enforcing? > > rhel93# cat local_dovecot.cil > (allow dovecot_deliver_t dovecot_spool_t (file (map))) > (allow dovecot_deliver_t dovecot_spool_t (dir (create))) > rhel93# semodule -i local_dovecot.cil I added the rules and got a clean GREEN run without any AVC. Here is the test OUTPUT: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Dovecot SELinux policy incorrect for /var/spool/dovecot/ bz2165863 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 07:02:40 ] :: [ INFO ] :: using '/var/tmp/beakerlib-21524003/backup' as backup destination :: [ 07:02:40 ] :: [ INFO ] :: using '/var/tmp/beakerlib-21524003/backup' as backup destination :: [ 07:02:40 ] :: [ INFO ] :: using '/var/tmp/beakerlib-21524003/backup' as backup destination :: [ 07:02:40 ] :: [ PASS ] :: Command 'restorecon -Rv ~/Maildir' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'useradd -m test_user' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'echo RedHat | passwd --stdin test_user' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'sed -i '/home_mailbox/d' /etc/postfix/main.cf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'echo 'home_mailbox = Maildir/' >> /etc/postfix/main.cf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'sed -i '/mailbox_command/d' /etc/postfix/main.cf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'echo mailbox_command = /usr/libexec/dovecot/dovecot-lda -f \"\$SENDER\" -a \"\$RECIPIENT\" >> /etc/postfix/main.cf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'sed -i "s/^.*postmaster_address.*$/postmaster_address = root/" /etc/dovecot/conf.d/15-lda.conf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'cat > ~/.fetchmailrc <<EOF EOF' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'chmod 700 ~/.fetchmailrc' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'sed -i '/protocols/d' /etc/dovecot/dovecot.conf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'echo 'protocols = imap pop3' >> /etc/dovecot/dovecot.conf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'sed -i '/mail_location/d' /etc/dovecot/conf.d/10-mail.conf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'echo 'mail_location = mbox:/var/spool/dovecot/%u/:INBOX=/var/mail/%u' >> /etc/dovecot/conf.d/10-mail.conf' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'mkdir /var/spool/dovecot/' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'restorecon -F /var/spool/dovecot/' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'chmod 1777 /var/spool/dovecot' (Expected 0, got 0) :: [ 07:02:40 ] :: [ PASS ] :: Command 'chgrp test_user /var/spool/mail/test_user' (Expected 0, got 0) :: [ 07:02:42 ] :: [ PASS ] :: Command 'service postfix restart' (Expected 0, got 0) :: [ 07:02:42 ] :: [ PASS ] :: Command 'service dovecot restart' (Expected 0, got 0) :: [ 07:02:42 ] :: [ PASS ] :: Command 'dovecot -n' (Expected 0, got 0) :: [ 07:02:42 ] :: [ PASS ] :: Command 'sendmail test_user@localhost <<EOF Check the test mail EOF' (Expected 0, got 0) :: [ 07:02:44 ] :: [ PASS ] :: Command 'cat > ~/.fetchmailrc <<EOF poll localhost protocol imap: username "test_user" password "RedHat"; EOF' (Expected 0, got 0) :: [ 07:02:45 ] :: [ PASS ] :: Command 'fetchmail --nosslcertck' (Expected 0, got 0) :: [ 07:02:45 ] :: [ PASS ] :: Command 'ausearch -m AVC -m USER_AVC --start 07:02:40' (Expected 1, got 1) :: [ 07:02:45 ] :: [ PASS ] :: Result of matchpathcon /var/spool/dovecot/ should contain dovecot_spool_t (Assert: expected 0, got 0) :: [ 07:02:46 ] :: [ PASS ] :: Result of matchpathcon /var/spool/dovecot/test_user should contain dovecot_spool_t (Assert: expected 0, got 0) :: [ 07:02:46 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow dovecot_t dovecot_spool_t : file { map }' :: [ 07:02:48 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :: [ 07:02:48 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow dovecot_deliver_t dovecot_spool_t : file { map }' :: [ 07:02:50 ] :: [ PASS ] :: check permission 'map' is present (Assert: '0' should equal '0') :: [ 07:02:50 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow dovecot_deliver_t dovecot_spool_t : dir { create }' :: [ 07:02:52 ] :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ 07:02:53 ] :: [ PASS ] :: Command 'userdel -rf test_user' (Expected 0, got 0) :: [ 07:02:54 ] :: [ PASS ] :: Command 'service dovecot stop' (Expected 0, got 0) :: [ 07:02:54 ] :: [ PASS ] :: Command 'rm -rf /var/spool/dovecot' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 14s :: Assertions: 33 good, 0 bad :: RESULT: PASS (Dovecot SELinux policy incorrect for /var/spool/dovecot/ bz2165863) Commit to backport: 7a77beac6 (HEAD -> rawhide, upstream/rawhide) Allow dovecot_deliver_t create/map dovecot_spool_t dir/file Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6617 |