Bug 656518
| Summary: | SELinux policy denies dovecot's bind to TCP LMTP port. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | AJ Zmudosky <ajz> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 14 | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.7-14.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-05 00:37:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Looks reasonable to me. A related issue, though I can open another bug for it:
Dovecot's Pigeonhole ManageSieve plugin (from the dovecot-pigeonhole package) stops dovecot from starting up, because it lacks permission to bind to the "sieve_port_t". Auditd log entry:
type=AVC msg=audit(1290656845.390:273): avc: denied { name_bind } for pid=2669 comm="dovecot" src=4190 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:sieve_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1290656845.390:273): arch=c000003e syscall=49 success=no exit=-13 a0=d a1=7fff4f542200 a2=10 a3=7fff4f541f50 items=0 ppid=2668 pid=2669 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=38 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
Miroslav add corenet_tcp_bind_sieve_port(dovecot_t) Also Fixed in selinux-policy-3.9.7-14.fc14 selinux-policy-3.9.7-14.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-14.fc14 selinux-policy-3.9.7-14.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-14.fc14 selinux-policy-3.9.7-14.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: If Dovecot is configured to use LMTP, and use the inet_listener along with/instead of the unix socket, Dovecot will not start because it cannot bind to the LMTP port (24). Version-Release number of selected component (if applicable): dovecot.x86_64 1:2.0.6-1.fc14 selinux-policy-targeted.noarch 3.9.7-12.fc14 How reproducible: Enable the inet_listener for the lmtp service in dovecot, and attempt to start dovecot. Steps to Reproduce: 1. Ensure SELinux is enforcing. 2. Include lmtp in the protocols list in /etc/dovecot/dovecot.conf 3. Uncomment the "service lmtp" section's inet_listener and port declaration in /etc/dovecot/conf.d/10-master.conf 4. Attempt to start the dovecot service. Actual results: # service dovecot start Starting Dovecot Imap: [FAILED] Dovecot Log: imap dovecot: master: Error: bind(0.0.0.0, 24) failed: Permission denied imap dovecot: master: Error: service(lmtp): listen(0.0.0.0, 24) failed: Permission denied imap dovecot: master: Fatal: Failed to start listeners Auditd Log: type=AVC msg=audit(1290538328.313:50): avc: denied { name_bind } for pid=1704 comm="dovecot" src=24 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1290538328.313:50): arch=c000003e syscall=49 success=no exit=-13 a0=f a1=7fff258f8120 a2=10 a3=7fff258f811c items=0 ppid=1703 pid=1704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) Expected results: Dovecot should start and it should be listening on TCP port 24, along with any other configured services. Additional info: While this can be worked around with a local policy, since the inet_listener is a comment part of the default configuration, it seems to be a common enough configuration to be included, or perhaps a boolean setting should be added for it. The SELinux Reference Policy doesn't include this permission (http://oss.tresys.com/projects/refpolicy/browser/policy/modules/services/dovecot.te). audit2allow generates the following for the AVC denied entry: require { type dovecot_t; } #============= dovecot_t ============== corenet_tcp_bind_lmtp_port(dovecot_t)