Bug 424091

Summary:	postfix cannot use dovecot's deliver LDA because of selinux
Product:	[Fedora] Fedora	Reporter:	Daniel Walsh <dwalsh>
Component:	dovecot	Assignee:	Dan Horák <dan>
Status:	CLOSED NEXTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	9	CC:	dwalsh
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-06-04 16:28:46 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	414891
Bug Blocks:

Description Daniel Walsh 2007-12-13 20:35:39 UTC

+++ This bug was initially created as a clone of Bug #414891 +++

This bug is identical to bug 413841, but applies to RHEL5.

-- Additional comment from mkanat on 2007-12-06 17:46 EST --
Here are the audit messages I get, in particular, on RHEL5:

type=AVC msg=audit(1196975865.063:103435): avc:  denied  { create } for 
pid=13559 comm="deliver" scontext=user_u:system_r:dovecot_deliver_t:s0
tcontext=user_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket


type=AVC msg=audit(1196976790.677:103459): avc:  denied  { getattr } for 
pid=14241 comm="deliver" path="/tmp" dev=sda3 ino=48955393
scontext=user_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

And after those are handled, I get:

type=AVC msg=audit(1196980271.577:79): avc:  denied  { connect } for  pid=4121
comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket

-- Additional comment from mkanat on 2007-12-06 17:48 EST --
And also:

type=AVC msg=audit(1196981326.569:87): avc:  denied  { write } for  pid=4480
comm="deliver" name="log" dev=tmpfs ino=6268
scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file


-- Additional comment from mkanat on 2007-12-06 17:53 EST --
And a few more:


type=AVC msg=audit(1196981431.525:90): avc:  denied  { sendto } for  pid=4530
comm="deliver" path="/dev/log" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket

type=AVC msg=audit(1196981498.470:94): avc:  denied  { write } for  pid=4561
comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket

Some of these extra ones allow deliver to write to syslog.

-- Additional comment from dwalsh on 2007-12-06 20:32 EST --
If you create a policy module with

policy_module(mydovecot, 1.0)
gen_requires(`
                 type dovecot_deliver;
')

allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
logging_send_syslog_msg(dovecot_deliver_t)


Compile and install it, does it solve your problem?

-- Additional comment from mkanat on 2007-12-07 00:18 EST --
(In reply to comment #4)
> If you create a policy module with
> 
> policy_module(mydovecot, 1.0)

  I get a syntax error on that. (And I'm not familiar enough with the .te syntax
to know why.)



-- Additional comment from mkanat on 2007-12-07 00:28 EST --
Created an attachment (id=280631)
My local.te

FWIW, this is the local.te that audit2allow generated for me based on the audit
messages I pasted here in this bug.

-- Additional comment from dwalsh on 2007-12-10 18:00 EST --
Fixed in selinux-policy-2.4.6-107.el5

-- Additional comment from pm-rhel on 2007-12-10 18:04 EST --
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

-- Additional comment from mkanat on 2007-12-11 14:19 EST --
Created an attachment (id=284491)
Complete Audit Messages

So, for messages below 256K, dovecot's deliver holds them only in memory, and
you just get the audit messages above.

However, for messages above 256K, it writes them to /tmp. Thus there are more
audit messages generated. I was getting lots of delivery failures locally and
wasn't sure why until I found these audit messages.

-- Additional comment from dwalsh on 2007-12-13 15:34 EST --
Then this is really a bug in dovecot then, since no system service should write
to /tmp.  /tmp can be written to by users so therefore it should only be written
to by users.  Dovecot should write to /var/run for any temporary storage.

I will fix selinux policy to allow this in RHEL5 but this should be fixed in
future versions of dovecot.

Fixed in selinux-policy-2.4.6-107.el5

Comment 1 Dan Horák 2008-05-07 06:44:54 UTC

Dan, the fix for dovecot is really simple, but could you give me a pointer to
some documentation for the statement "no system service should write into /tmp"?
So I can send the patch upstream together with an explanation.

Comment 2 Bug Zapper 2008-05-14 04:11:56 UTC

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Dan Horák 2008-05-29 10:45:18 UTC

info about using /tmp are at http://danwalsh.livejournal.com/11467.html

Comment 4 Dan Horák 2008-06-04 09:59:16 UTC

I have taken this issue upstream and the answer is at
http://www.dovecot.org/list/dovecot/2008-May/031080.html The deliver utility is
a standalone program that gets called from MTA like postfix to provide local
delivery into mailboxes that can take advantage from dovecot's file formats. So
it is run from the MTA under its uid or even under the uids of individual local
users and that could excuse the usage of /tmp. I think that from this point of
view it is correct to use the RHEL approach also in Fedora - add
dovecot_deliver_* types, etc.

Comment 5 Daniel Walsh 2008-06-04 15:24:38 UTC

dovecot deliver types exist.