Bug 467647

Summary: SELinux is preventing dovecot-auth (dovecot_auth_t) "accept" dovecot_t. and SELinux is preventing dovecot-auth (dovecot_auth_t) "connectto" dovecot_t.
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: dovecotAssignee: Dan Horák <dan>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dan, dwalsh, mcepl, mhlavink
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-20 13:18:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2008-10-19 23:38:36 UTC 
Created attachment 320829 [details]
/var/log/audit/audit.log

Souhrn:

SELinux is preventing dovecot-auth (dovecot_auth_t) "accept" dovecot_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by dovecot-auth. It is not expected that this
access is required by dovecot-auth and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:dovecot_auth_t
Kontext cíle                 system_u:system_r:dovecot_t
Objekty cíle                 /var/run/dovecot/login/default [
                              unix_stream_socket ]
Zdroj                         dovecot-auth
Cesta zdroje                  /usr/libexec/dovecot/dovecot-auth
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          dovecot-1.1.3-1.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-1.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.2-23.rc1.fc10.i686 #1 SMP Fri
                              Oct 17 00:07:31 EDT 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Po 20. říjen 2008, 00:38:20 CEST
Naposledy viděno             Po 20. říjen 2008, 01:31:15 CEST
Místní ID                   0e55084f-e6a3-4a53-b2b9-b2371372ed43
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1224459075.103:715): avc:  denied  { accept } for  pid=2363 comm="dovecot-auth" path="/var/run/dovecot/login/default" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket

node=viklef type=SYSCALL msg=audit(1224459075.103:715): arch=40000003 syscall=102 success=yes exit=9 a0=5 a1=bfc8b700 a2=0 a3=0 items=0 ppid=2359 pid=2363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=system_u:system_r:dovecot_auth_t:s0 key=(null)


and 


Souhrn:

SELinux is preventing dovecot-auth (dovecot_auth_t) "connectto" dovecot_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by dovecot-auth. It is not expected that this
access is required by dovecot-auth and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:dovecot_auth_t
Kontext cíle                 system_u:system_r:dovecot_t
Objekty cíle                 /var/run/dovecot/auth-worker.2363 [
                              unix_stream_socket ]
Zdroj                         dovecot-auth
Cesta zdroje                  /usr/libexec/dovecot/dovecot-auth
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          dovecot-1.1.3-1.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-1.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.2-23.rc1.fc10.i686 #1 SMP Fri
                              Oct 17 00:07:31 EDT 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Po 20. říjen 2008, 00:38:19 CEST
Naposledy viděno             Po 20. říjen 2008, 01:31:14 CEST
Místní ID                   2762a0dc-b94b-494f-a210-029830e28423
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1224459074.722:710): avc:  denied  { connectto } for  pid=2363 comm="dovecot-auth" path="/var/run/dovecot/auth-worker.2363" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket

node=viklef type=SYSCALL msg=audit(1224459074.722:710): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfc8b520 a2=bfc8b53a a3=98b9908 items=0 ppid=2359 pid=2363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=system_u:system_r:dovecot_auth_t:s0 key=(null)
Comment 1 Dan Horák 2008-10-20 09:46:19 UTC 
There was a change in the policy (dovecot.te) between 3.5.12 and 3.5.13

3.5.12-3
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl connectto };

3.5.13-1
allow dovecot_auth_t dovecot_t:unix_stream_socket rw_socket_perms;

After creating "local" module from 
------
module local 1.0;

require {
        type dovecot_auth_t;
        type dovecot_t;
        class unix_stream_socket { accept connectto };
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t dovecot_t:unix_stream_socket { accept connectto };
------

dovecot can work again.
Comment 2 Daniel Walsh 2008-10-20 13:18:10 UTC 
Fixed in selinux-policy-3.5.13-2.fc10.noarch