Bug 414891

Summary: postfix cannot use dovecot's deliver LDA because of selinux
Product: Red Hat Enterprise Linux 5 Reporter: Max Kanat-Alexander <mkanat>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.1CC: dwalsh, kwirth
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:06:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 424091    
Attachments:
Description Flags
My local.te
none
Complete Audit Messages none

Description Max Kanat-Alexander 2007-12-06 21:49:49 UTC 
This bug is identical to bug 413841, but applies to RHEL5.
Comment 1 Max Kanat-Alexander 2007-12-06 22:46:59 UTC 
Here are the audit messages I get, in particular, on RHEL5:

type=AVC msg=audit(1196975865.063:103435): avc:  denied  { create } for 
pid=13559 comm="deliver" scontext=user_u:system_r:dovecot_deliver_t:s0
tcontext=user_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket


type=AVC msg=audit(1196976790.677:103459): avc:  denied  { getattr } for 
pid=14241 comm="deliver" path="/tmp" dev=sda3 ino=48955393
scontext=user_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

And after those are handled, I get:

type=AVC msg=audit(1196980271.577:79): avc:  denied  { connect } for  pid=4121
comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket
Comment 2 Max Kanat-Alexander 2007-12-06 22:48:58 UTC 
And also:

type=AVC msg=audit(1196981326.569:87): avc:  denied  { write } for  pid=4480
comm="deliver" name="log" dev=tmpfs ino=6268
scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
Comment 3 Max Kanat-Alexander 2007-12-06 22:53:33 UTC 
And a few more:


type=AVC msg=audit(1196981431.525:90): avc:  denied  { sendto } for  pid=4530
comm="deliver" path="/dev/log" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket

type=AVC msg=audit(1196981498.470:94): avc:  denied  { write } for  pid=4561
comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket

Some of these extra ones allow deliver to write to syslog.
Comment 4 Daniel Walsh 2007-12-07 01:32:45 UTC 
If you create a policy module with

policy_module(mydovecot, 1.0)
gen_requires(`
                 type dovecot_deliver;
')

allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
logging_send_syslog_msg(dovecot_deliver_t)


Compile and install it, does it solve your problem?
Comment 5 Max Kanat-Alexander 2007-12-07 05:18:26 UTC 
(In reply to comment #4)
> If you create a policy module with
> 
> policy_module(mydovecot, 1.0)

  I get a syntax error on that. (And I'm not familiar enough with the .te syntax
to know why.)
Comment 6 Max Kanat-Alexander 2007-12-07 05:28:13 UTC 
Created attachment 280631 [details]
My local.te

FWIW, this is the local.te that audit2allow generated for me based on the audit
messages I pasted here in this bug.
Comment 7 Daniel Walsh 2007-12-10 23:00:10 UTC 
Fixed in selinux-policy-2.4.6-107.el5
Comment 8 RHEL Program Management 2007-12-10 23:04:37 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 Max Kanat-Alexander 2007-12-11 19:19:05 UTC 
Created attachment 284491 [details]
Complete Audit Messages

So, for messages below 256K, dovecot's deliver holds them only in memory, and
you just get the audit messages above.

However, for messages above 256K, it writes them to /tmp. Thus there are more
audit messages generated. I was getting lots of delivery failures locally and
wasn't sure why until I found these audit messages.
Comment 10 Daniel Walsh 2007-12-13 20:34:49 UTC 
Then this is really a bug in dovecot then, since no system service should write
to /tmp.  /tmp can be written to by users so therefore it should only be written
to by users.  Dovecot should write to /var/run for any temporary storage.

I will fix selinux policy to allow this in RHEL5 but this should be fixed in
future versions of dovecot.

Fixed in selinux-policy-2.4.6-107.el5
Comment 11 Max Kanat-Alexander 2007-12-13 20:42:37 UTC 
(In reply to comment #10)
> Then this is really a bug in dovecot then, since no system service should write
> to /tmp.  /tmp can be written to by users so therefore it should only be written
> to by users.  Dovecot should write to /var/run for any temporary storage.

  Hrm, or maybe /var/spool/ would be more appropriate. That's what the other
mail services do.
Comment 16 Daniel Walsh 2008-03-29 11:23:54 UTC 
Fixed in selinux-policy- 2.4.6-127
Comment 24 errata-xmlrpc 2008-05-21 16:06:16 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html