Bug 249119

Summary: dovecot pop3s triggers SELinux
Product: Red Hat Enterprise Linux 5 Reporter: Ronald Cole <ronald>
Component: dovecotAssignee: Tomas Janousek <tjanouse>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-52.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-04 15:17:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ronald Cole 2007-07-20 23:45:58 UTC 
Description of problem:
I configured dovecot to only do pop3s as indicated in the RHEL5 documentation. 
Connecting to the server results in five separate entries in
/var/log/audit/audit.log with SELinux in Permissive mode.

Version-Release number of selected component (if applicable):
dovecot-1.0-1.2.rc15.el5

How reproducible:
Everytime!

Steps to Reproduce:
1.  Make the following change to /etc/dovecot.conf:
--- dovecot.conf~       2007-03-14 06:07:19.000000000 -0700
+++ dovecot.conf        2007-07-11 19:55:35.000000000 -0700
@@ -15,6 +15,7 @@
 # Protocols we want to be serving: imap imaps pop3 pop3s
 # If you only want to use dovecot-auth, you can set this to "none".
 #protocols = imap imaps pop3 pop3s
+protocols = pop3s

 # IP or host address where to listen in for connections. It's not currently
 # possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
@@ -202,6 +203,8 @@
 # http://wiki.dovecot.org/MailLocation
 #
 #mail_location =
+#mail_location = mbox:/var/empty:INBOX=/var/mail/%u:INDEX=MEMORY
+mail_location = mbox:/dev/null/:INBOX=/var/mail/%u:INDEX=MEMORY

 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections:

2. start dovecot
3. access via pop3s
  
Actual results:
The following entries in /var/log/audit/audit.log, for each connection:
type=AVC msg=audit(1184971654.231:29872): avc:  denied  { create } for 
pid=12010 comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.231:29872): arch=40000003 syscall=102
success=yes exit=4 a0=1 a1=bfb48ef4 a2=49db1ff4 a3=bfb49171 items=0 ppid=11333
pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100
tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1184971654.232:29873): avc:  denied  { bind } for  pid=12010
comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.232:29873): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bfb48ef4 a2=49db1ff4 a3=4 items=0 ppid=11333
pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100
tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1184971654.232:29874): avc:  denied  { getattr } for 
pid=12010 comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.232:29874): arch=40000003 syscall=102
success=yes exit=0 a0=6 a1=bfb48ef4 a2=49db1ff4 a3=4 items=0 ppid=11333
pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100
tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1184971654.232:29875): avc:  denied  { write } for  pid=12010
comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1184971654.232:29875): avc:  denied  { nlmsg_read } for 
pid=12010 comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.232:29875): arch=40000003 syscall=102
success=yes exit=20 a0=b a1=bfb47e34 a2=49db1ff4 a3=ffffffcc items=0 ppid=11333
pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100
tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1184971654.232:29876): avc:  denied  { read } for  pid=12010
comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.232:29876): arch=40000003 syscall=102
success=yes exit=128 a0=11 a1=bfb47e34 a2=49db1ff4 a3=ffffffcc items=0
ppid=11333 pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100
sgid=100 fsgid=100 tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)


Expected results:
pop3s access to dovecot to not cause problems with SELinux.

Additional info:
Comment 1 Tomas Janousek 2007-07-24 13:42:39 UTC 
This was fixed in selinux-policy-2.4.6-52.el5 and will be fixed in the version
which will come with the RHEL 5.1 update.
Comment 2 Ronald Cole 2007-07-26 20:44:11 UTC 
Where do I find selinux-policy-2.4.6-52.el5?  I'd like to test that it fixes my
problem BEFORE the 5.1 update.
Comment 3 Tomas Janousek 2007-07-27 09:59:49 UTC 
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 4 Ronald Cole 2007-07-29 02:40:21 UTC 
Well, I used the -76 flavors in that directory and, indeed, it fixed the problem.
Comment 5 Tomas Janousek 2007-08-04 15:17:59 UTC 
Ok, closing. Thanks for your feedback.