Bug 2231077

Summary: avc found in saslauthd when running cyrus-imapd tests
Product: [Fedora] Fedora Reporter: František Hrdina <fhrdina>
Component: cyrus-saslAssignee: Jakub Jelen <jjelen>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: anon.amish, crypto-team, fhrdina, jjelen, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description František Hrdina 2023-08-10 13:34:14 UTC 
AVC found on fedora-rawhide when running these cyrus-imapd tests

/CoreOS/cyrus-imapd/Security/CVE-2011-3481-cyrus-imapd-NULL-pointer-dereference-via-crafted
/CoreOS/cyrus-imapd/Regression/imapd-never-close-the-connect-to-the-client-upon
/CoreOS/cyrus-imapd/Sanity/basic

https://beaker.engineering.redhat.com/recipes/14401711#tasks

Package cyrus-sasl-plain-2.1.28-11.fc39.x86_64 is already installed.
Package cyrus-imapd-3.6.0-9.fc39.x86_64 is already installed.
Package cyrus-sasl-2.1.28-11.fc39.x86_64 is already installed.
Package net-tools-2.0-0.67.20160912git.fc39.x86_64 is already installed.
Package expect-5.45.4-20.fc39.x86_64 is already installed.



Reproducible: Always

Steps to Reproduce:
Running tests
/CoreOS/cyrus-imapd/Security/CVE-2011-3481-cyrus-imapd-NULL-pointer-dereference-via-crafted
/CoreOS/cyrus-imapd/Regression/imapd-never-close-the-connect-to-the-client-upon
/CoreOS/cyrus-imapd/Sanity/basic
Actual Results:  
tests fails with AVC

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.24-1.fc39.noarch
----
time->Thu Aug 10 08:38:55 2023
type=AVC msg=audit(1691671135.966:375): avc:  denied  { dac_read_search } for  pid=18853 comm="saslauthd" capability=2  scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=capability permissive=0
----
time->Thu Aug 10 08:38:55 2023
type=AVC msg=audit(1691671135.966:376): avc:  denied  { dac_override } for  pid=18853 comm="saslauthd" capability=1  scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=capability permissive=0
----
time->Thu Aug 10 08:38:56 2023
type=AVC msg=audit(1691671136.020:377): avc:  denied  { dac_read_search } for  pid=18853 comm="saslauthd" capability=2  scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=capability permissive=0
----
time->Thu Aug 10 08:38:56 2023
type=AVC msg=audit(1691671136.020:378): avc:  denied  { dac_override } for  pid=18853 comm="saslauthd" capability=1  scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=capability permissive=0
----
time->Thu Aug 10 08:38:56 2023
type=AVC msg=audit(1691671136.124:380): avc:  denied  { dac_read_search } for  pid=18853 comm="saslauthd" capability=2  scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=capability permissive=0
----
time->Thu Aug 10 08:38:56 2023
type=AVC msg=audit(1691671136.124:381): avc:  denied  { dac_override } for  pid=18853 comm="saslauthd" capability=1  scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=capability permissive=0

Expected Results:  
tests PASSED without AVC
Comment 1 Fedora Release Engineering 2023-08-16 08:14:12 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.