Bug 620213

Summary: Selinux blocks doevecot
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-03 19:19:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 538278    

Description Nicolas Mailhot 2010-08-01 15:11:00 UTC
#/etc/init.d/dovecot start
Démarrage de Dovecot Imap :                                [ÉCHOUÉ]

Aug  1 17:06:01 arekh kernel: type=1400 audit(1280675161.972:18): avc:  denied  { search } for  pid=2440 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  1 17:06:01 arekh kernel: type=1400 audit(1280675161.972:19): avc:  denied  { search } for  pid=2440 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  1 17:06:01 arekh kernel: type=1400 audit(1280675161.972:20): avc:  denied  { search } for  pid=2440 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir


# setenforce permissive
# /etc/init.d/dovecot start
Démarrage de Dovecot Imap : doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:21: protocols=imaps is no longer supported. to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:99: ssl_cert_file has been replaced by ssl_cert = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:100: ssl_key_file has been replaced by ssl_key = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:112: ssl_ca_file has been replaced by ssl_ca = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:703: protocol managesieve {} has been replaced by protocol sieve { }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:869: add auth_ prefix to all settings inside auth {} and remove the auth {} section completely
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:907: passdb pam {} has been replaced by passdb { driver=pam }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1019: userdb passwd {} has been replaced by userdb { driver=passwd }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1081: auth_user has been replaced by service auth { user }
                                                           [  OK  ]

Aug  1 17:06:11 arekh dbus: avc:  received setenforce notice (enforcing=0)
Aug  1 17:06:11 arekh dbus: avc:  received setenforce notice (enforcing=0)
Aug  1 17:06:11 arekh kernel: type=1404 audit(1280675171.910:21): enforcing=0 old_enforcing=1 auid=500 ses=1
Aug  1 17:06:14 arekh kernel: type=1400 audit(1280675174.357:22): avc:  denied  { search } for  pid=2447 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir

BTW sealert didn't trigger so it's likely broken too

libselinux-2.0.96-3.fc14.x86_64
selinux-policy-targeted-3.8.8-8.fc14.noarch
libselinux-python-2.0.96-3.fc14.x86_64
selinux-policy-3.8.8-8.fc14.noarch
libselinux-utils-2.0.96-3.fc14.x86_64
dovecot-2.0-0.19.rc3.fc14.x86_64
setroubleshoot-server-2.2.91-2.fc14.x86_64
setroubleshoot-2.2.91-2.fc14.x86_64
setroubleshoot-plugins-2.1.55-1.fc14.noarch

Comment 1 Daniel Walsh 2010-08-03 18:46:51 UTC
Please test this in a directory other then /etc/dovecod or use the service script

cd / 
/etc/init.d/dovecot start

or 


service dovecot start

Comment 2 Nicolas Mailhot 2010-08-03 19:04:52 UTC
(In reply to comment #1)
> Please test this in a directory other then /etc/dovecod

This was already the case

> or use the service
> script
> 
> cd / 
> /etc/init.d/dovecot start
> 
> or 
> 
> 
> service dovecot start    

# export LANG=C
# cd /
 /etc/init.d/dovecot start
Starting Dovecot Imap:                                     [FAILED]
# service dovecot start    
Démarrage de Dovecot Imap :                                [ÉCHOUÉ]

Aug  3 21:01:55 arekh dbus: avc:  received setenforce notice (enforcing=1)
Aug  3 21:01:56 arekh dbus: [system] Reloaded configuration
Aug  3 21:02:04 arekh kernel: type=1400 audit(1280862124.759:41): avc:  denied  { search } for  pid=29575 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:04 arekh kernel: type=1400 audit(1280862124.759:42): avc:  denied  { search } for  pid=29575 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:04 arekh kernel: type=1400 audit(1280862124.759:43): avc:  denied  { search } for  pid=29575 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:41 arekh kernel: type=1400 audit(1280862161.456:44): avc:  denied  { search } for  pid=29595 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:41 arekh kernel: type=1400 audit(1280862161.457:45): avc:  denied  { search } for  pid=29595 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:41 arekh kernel: type=1400 audit(1280862161.457:46): avc:  denied  { search } for  pid=29595 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:50 arekh kernel: type=1400 audit(1280862170.688:47): avc:  denied  { search } for  pid=29606 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:50 arekh kernel: type=1400 audit(1280862170.688:48): avc:  denied  { search } for  pid=29606 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:50 arekh kernel: type=1400 audit(1280862170.688:49): avc:  denied  { search } for  pid=29606 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir

Comment 3 Daniel Walsh 2010-08-03 19:19:34 UTC
Fixed in selinux-policy-3.8.8-9.fc14