Bug 590224
Summary: | dovecot won't start "Can't create directory /var/run/dovecot/empty: Permission denied" | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Schmidt <mschmidt> |
Component: | dovecot | Assignee: | Michal Hlavinka <mhlavink> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 6.0 | CC: | azelinka, mmalik, ovasik, paul |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | dovecot-2.0-0.3.beta5.20100515.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-07-02 19:00:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michal Schmidt
2010-05-08 07:59:53 UTC
(Sorry, I submitted the form too soon by mistake.) Description of problem: dovecot refuses to start: # LANG=C /etc/init.d/dovecot start Starting Dovecot Imap: Fatal: Can't create directory /var/run/dovecot/empty: Permission denied [FAILED] Version-Release number of selected component (if applicable): dovecot-2.0-0.1.beta4.20100506.el6.x86_64 How reproducible: always Steps to Reproduce: 1. try to start dovecot 2. 3. Actual results: the above error message Expected results: dovecot should start Additional info: Ah, it seems to be a SELinux policy issue. It starts fine in permissive mode. This is the AVC denial: type=SYSCALL msg=audit(1273305532.640:34): arch=c000003e syscall=83 success=yes exit=0 a0=84b478 a1=1ed a2=ffffffffffffffa8 a3=7fff34affdb0 items=0 ppid=9742 pid=9743 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(1273305532.640:34): avc: denied { create } for pid=9743 comm="dovecot" name="empty" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:dovecot_var_run_t:s0 tclass=dir selinux-policy-targeted-3.7.19-12.el6.noarch selinux-policy-3.7.19-12.el6.noarch kernel-2.6.32-24.el6.x86_64 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. On my machine I see this: # service dovecot start # ausearch -m avc -ts recent ---- time->Mon May 10 10:47:11 2010 type=SYSCALL msg=audit(1273481231.363:39): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff46280 a2=5998b8 a3=bff462ae items=0 ppid=5275 pid=5276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(1273481231.363:39): avc: denied { write } for pid=5276 comm="dovecot" name="dovecot.conf" dev=sda3 ino=168664 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file ---- time->Mon May 10 10:47:11 2010 type=SYSCALL msg=audit(1273481231.410:40): arch=40000003 syscall=39 success=no exit=-13 a0=8651308 a1=1ed a2=1868b8 a3=b7831a28 items=0 ppid=5275 pid=5276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(1273481231.410:40): avc: denied { create } for pid=5276 comm="dovecot" name="empty" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:dovecot_var_run_t:s0 tclass=dir ---- # rpm -qa selinux-policy\* selinux-policy-minimum-3.7.19-12.el6.noarch selinux-policy-3.7.19-12.el6.noarch selinux-policy-targeted-3.7.19-12.el6.noarch selinux-policy-mls-3.7.19-12.el6.noarch selinux-policy-doc-3.7.19-12.el6.noarch It seems that dovecot wants to write its config file into /etc/dovecot directory instead of /etc (as described in dovecot.conf man page): # find /etc -inum 168664 /etc/dovecot/dovecot.conf I don't think dovecot should ever be allowed to rewrite its config. Why is it doing this? The other AVC is fixed in selinux-policy-3.7.19-15.fc13.noarch (In reply to comment #7) > I don't think dovecot should ever be allowed to rewrite its config. Why is it > doing this? well, I can't see anything like this... afaik the only thing is dovecot is (re)creating dovecot.conf (symlink) under /var/run/dovecot/ also after restarting and using dovecot I get this denial, but ctime/mtime is not changed, only symlink is created well, it seems it uses socket on the dovecot.conf I don't know more details now, I'll look at it That selinux denial is really caused by connecting to a file socket (some feature) and if it fails (for default case it fails always, because dovecot.conf is regular file and not a socket) it opens it as regular file. Using socket on regular file causes connect to fail which does not have any negative side effect (other than making selinux produce denial message). Anyway, I've asked upstream about it and they added stat precheck if the file is a socket or regular file, so selinux can be happy dovecot only needs to create /var/run/dovecot/empty because it's not included in the dovecot package as an empty directory. I think a better fix for this problem is to include: %dir /var/run/dovecot/empty/ in the %files list for dovecot itself. Red Hat Enterprise Linux Beta 2 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |