Bug 559487

Summary: SELinux is preventing /usr/sbin/dovecot "create" access on dovecot.conf.
Product: [Fedora] Fedora Reporter: Michal Schmidt <mschmidt>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e1fc0b0dfde2c7e289e5c763863434b6f6c9483007b7384318bf593abc894137
Fixed In Version: 3.6.32-84.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-11 14:41:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Schmidt 2010-01-28 09:59:50 UTC 
Since an update from dovecot-1.2.9 to dovecot-1.2.10 I'm getting this denial on start of the daemon. Dovecot wants to create a symlink in /var/run/dovecot since this upstream change:
http://hg.dovecot.org/dovecot-1.2/rev/142c935e44d6


Souhrn:

SELinux is preventing /usr/sbin/dovecot "create" access on dovecot.conf.

Podrobný popis:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by dovecot. It is not expected that this access
is required by dovecot and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                unconfined_u:system_r:dovecot_t:s0
Kontext cíle                 unconfined_u:object_r:dovecot_var_run_t:s0
Objekty cíle                 dovecot.conf [ lnk_file ]
Zdroj                         dovecot
Cesta zdroje                  /usr/sbin/dovecot
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          dovecot-1.2.10-1.fc12
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.32-73.fc12
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.32.6-36.fc12.x86_64 #1 SMP Mon Jan
                              25 22:41:54 UTC 2010 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Čt 28. leden 2010, 10:42:25 CET
Naposledy viděno             Čt 28. leden 2010, 10:43:34 CET
Místní ID                   2fab3752-3d51-4dfe-afe7-708469612ccb
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1264671814.489:24034): avc:  denied  { create } for  pid=6455 comm="dovecot" name="dovecot.conf" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:dovecot_var_run_t:s0 tclass=lnk_file

node=(removed) type=SYSCALL msg=audit(1264671814.489:24034): arch=c000003e syscall=88 success=yes exit=0 a0=423c55 a1=6eb1a0 a2=2 a3=7fffc3ea6660 items=0 ppid=1 pid=6455 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-73.fc12,catchall,dovecot,dovecot_t,dovecot_var_run_t,lnk_file,create
audit2allow suggests:

#============= dovecot_t ==============
allow dovecot_t dovecot_var_run_t:lnk_file create;
Comment 1 Michal Schmidt 2010-01-28 10:14:46 UTC 
Note that on shutdown dovecot will also require the "unlink" permission to remove the symlink.
Comment 2 Miroslav Grepl 2010-01-28 12:11:53 UTC 
Fixed in selinux-policy-3.6.32-78.fc12

selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12
Comment 3 Fedora Update System 2010-02-03 23:19:01 UTC 
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12
Comment 4 Fedora Update System 2010-02-05 01:43:30 UTC 
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492
Comment 5 Fedora Update System 2010-02-11 14:36:13 UTC 
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.