Bug 733591

Summary: selinux prevents dovecot from accessing /home
Product: [Fedora] Fedora Reporter: Ilkka Tengvall <ikke>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mcepl, mcepl, mgrepl, mhlavink, pcfe
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-14 07:40:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ilkka Tengvall 2011-08-26 06:50:15 UTC
Description of problem:

My IMAP server causes selinux alerts I suppose when trying to access ~/Maildir. There should be a policy to allow dovecot to access user homes/Maildir at least.


Version-Release number of selected component (if applicable):

selinux-policy-3.9.16-35.fc15.noarch
dovecot-2.0.13-1.fc15.x86_64


How reproducible:

at every time you access the IMAP folders in ~/Maildir


Steps to Reproduce:
1. sudo service dovecot restart
2. access your imap share using ~/Maildir
3.
  
Actual results:

See additional info for sealert

Expected results:

no sealert

Additional info:

Here is couple of the sealerts, I first did the new policy as instructed in the first one, that lead to the second one. Addint that one too fixed the complaint.

####################################################################

SELinux is preventing /usr/libexec/dovecot/auth from search access on the directory /home.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that auth should be allowed search access on the home directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep auth /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dovecot_auth_t:s0
Target Context                system_u:object_r:home_root_t:s0
Target Objects                /home [ dir ]
Source                        auth
Source Path                   /usr/libexec/dovecot/auth
Port                          <Unknown>
Host                          whipper.mobile.fp.nsn-rdnet.net
Source RPM Packages           dovecot-2.0.13-1.fc15
Target RPM Packages           filesystem-2.4.41-1.fc15
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     whipper.mobile.fp.nsn-rdnet.net
Platform                      Linux whipper.mobile.fp.nsn-rdnet.net
                              2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05
                              UTC 2011 x86_64 x86_64
Alert Count                   51
First Seen                    Wed 17 Aug 2011 10:27:09 PM EEST
Last Seen                     Fri 26 Aug 2011 08:54:02 AM EEST
Local ID                      35a81152-ddae-4268-b21b-7701feb1fabb

Raw Audit Messages
type=AVC msg=audit(1314338042.838:29019): avc:  denied  { search } for  pid=26527 comm="auth" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir


type=SYSCALL msg=audit(1314338042.838:29019): arch=x86_64 syscall=access success=no exit=EACCES a0=1918570 a1=0 a2=0 a3=1 items=0 ppid=26465 pid=26527 auid=4294967295 uid=10066861 gid=500 euid=10066861 suid=10066861 fsuid=10066861 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm=auth exe=/usr/libexec/dovecot/auth subj=system_u:system_r:dovecot_auth_t:s0 key=(null)

Hash: auth,dovecot_auth_t,home_root_t,dir,search

audit2allow

#============= dovecot_auth_t ==============
allow dovecot_auth_t home_root_t:dir search;

audit2allow -R

#============= dovecot_auth_t ==============
allow dovecot_auth_t home_root_t:dir search;




############################################################################



SELinux is preventing /usr/libexec/dovecot/auth from search access on the directory /home/itengval.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that auth should be allowed search access on the itengval directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep auth /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dovecot_auth_t:s0
Target Context                system_u:object_r:user_home_dir_t:s0
Target Objects                /home/itengval [ dir ]
Source                        auth
Source Path                   /usr/libexec/dovecot/auth
Port                          <Unknown>
Host                          whipper.mobile.fp.nsn-rdnet.net
Source RPM Packages           dovecot-2.0.13-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     whipper.mobile.fp.nsn-rdnet.net
Platform                      Linux whipper.mobile.fp.nsn-rdnet.net
                              2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05
                              UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 26 Aug 2011 09:46:03 AM EEST
Last Seen                     Fri 26 Aug 2011 09:46:16 AM EEST
Local ID                      d7baa84c-8808-40e3-87dd-476999b4fb54

Raw Audit Messages
type=AVC msg=audit(1314341176.835:29422): avc:  denied  { search } for  pid=29981 comm="auth" name="itengval" dev=dm-0 ino=55316 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir


type=SYSCALL msg=audit(1314341176.835:29422): arch=x86_64 syscall=access success=no exit=EACCES a0=b0b560 a1=0 a2=0 a3=1 items=0 ppid=29951 pid=29981 auid=4294967295 uid=10066861 gid=500 euid=10066861 suid=10066861 fsuid=10066861 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm=auth exe=/usr/libexec/dovecot/auth subj=system_u:system_r:dovecot_auth_t:s0 key=(null)

Hash: auth,dovecot_auth_t,user_home_dir_t,dir,search

audit2allow

#============= dovecot_auth_t ==============
allow dovecot_auth_t user_home_dir_t:dir search;

audit2allow -R

#============= dovecot_auth_t ==============
allow dovecot_auth_t user_home_dir_t:dir search;

Comment 1 Daniel Walsh 2011-08-26 16:03:31 UTC
Are you actually seeing anything break?  We currently allow dovecot_deliver full access to the homedir.
/usr/lib/dovecot/deliver

Not sure auth needs this access , but I have no problem allowing it?

Does it need to read files here?

Comment 2 Ilkka Tengvall 2011-08-29 07:17:15 UTC
It needs to read files there, since that's where the mails are. I access to read those mails via IMAP, dovecot doing the read and delivery over IMAP.

There are couple weirdnesses within dovecot in fedora. I don't know exactly why these weirdnesses happen, but I thought if I would get rid of the selinux blocking anything it might help.

1. dovecot always fails to start after boot. Starts fine if started manually later
2. thunderbird only shows that there are new mails in my Maildir, but doesn't show the mails only after I access the box once, get back to other imap and re-access the box.

I know this is outside of this bug's scope, but I layed them here since you asked if I have any problems. So I'm not convinced SElinux is the cause of this, but these are about the only selinux alerts I get in my system.

Comment 3 Miroslav Grepl 2011-08-29 08:27:22 UTC
Michal,
does /usr/libexec/dovecot/auth need the same access as /usr/lib/dovecot/deliver to the homedir?

Comment 4 Matěj Cepl 2011-10-09 16:05:53 UTC
Just to confirm that I see the same with dovecot-2.0.9-2.el6_1.1.x86_64 and selinux-policy-targeted-3.7.19-113.el6.noarch on RHEL 6.2 with this dovecot configuration

mitmanek:build $ dovecot -n|grep -v \#
listen = 127.0.0.1
mail_location = maildir:~/.mail/
mbox_write_locks = fcntl
passdb {
  driver = pam
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}
mitmanek:build $

Comment 5 Matěj Cepl 2011-10-09 16:12:44 UTC
For sake of completness sealert's message. 

SELinux is preventing /usr/libexec/dovecot/imap from getattr access on the blk_file /home/matej/.mail/.INBOX.NEU.buckle/tmp.

Additional Information:
Kontext zdroje                unconfined_u:system_r:dovecot_t:s0
Kontext cíle                  system_u:object_r:user_home_t:s0
Objekty cíle                  /home/matej/.mail/.INBOX.NEU.buckle/tmp [ blk_file
                              ]
Zdroj                         imap
Cesta zdroje                  /usr/libexec/dovecot/imap
Port                          <Neznámé>
Počítač                       mitmanek.ceplovi.cz
RPM balíčky zdroje            dovecot-2.0.9-2.el6_1.1
RPM balíčky cíle              
RPM politiky                  selinux-policy-3.7.19-113.el6
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim              Enforcing
Název počítače                mitmanek.ceplovi.cz
Platforma                     Linux mitmanek.ceplovi.cz 2.6.32-206.el6.x86_64 #1
                              SMP Tue Oct 4 11:51:32 EDT 2011 x86_64 x86_64
Počet upozornění              4
Poprvé viděno                 Ne 9. říjen 2011, 17:47:51 CEST
Naposledy viděno              Ne 9. říjen 2011, 18:00:46 CEST
Místní ID                     c831079b-d51d-47d6-8c5d-984d4605f6c0

Původní zprávy auditu
type=AVC msg=audit(1318176046.297:17419): avc:  denied  { getattr } for  pid=18275 comm="imap" path="/home/matej/.mail/.INBOX.NEU.buckle/tmp" dev=dm-8 ino=5795798 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=blk_file


type=SYSCALL msg=audit(1318176046.297:17419): arch=x86_64 syscall=stat success=no exit=EACCES a0=1d92328 a1=7fff99b4c250 a2=7fff99b4c250 a3=69616d2e2f6a6574 items=0 ppid=3611 pid=18275 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=imap exe=/usr/libexec/dovecot/imap subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

Hash: imap,dovecot_t,user_home_t,blk_file,getattr

audit2allow

#============= dovecot_t ==============
allow dovecot_t user_home_t:blk_file getattr;

audit2allow -R

#============= dovecot_t ==============
allow dovecot_t user_home_t:blk_file getattr;

Comment 6 Miroslav Grepl 2011-10-10 12:25:03 UTC
(In reply to comment #3)
> Michal,
> does /usr/libexec/dovecot/auth need the same access as /usr/lib/dovecot/deliver
> to the homedir?

Michal?

Comment 7 Michal Hlavinka 2011-12-12 15:31:46 UTC
I'm not able to reproduce this. Ilkka, what is your output of doveconf -n

Matej: 
Your selinux denial is completely different. In your case, dovecot needs that access for sure.

Comment 8 Ilkka Tengvall 2011-12-13 07:04:26 UTC
Hmmm, now on f16 I don't see this anymore. Or did I do some audit2allow for it at some point... How to check if I did? anyways, here's the doveconf -n:


# 2.0.15: /etc/dovecot/dovecot.conf
doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:21: 'imaps' protocol is no longer supported. to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:21: 'pop3s' protocol is no longer supported. to disable non-ssl pop3, use service pop3-login { inet_listener pop3 { port=0 } }
# OS: Linux 3.1.4-1.fc16.x86_64 x86_64 Fedora release 16 (Verne) 
mbox_write_locks = fcntl
passdb {
  driver = pam
}
protocols = lmtp imap pop3
service imap-login {
  inet_listener imap {
    port = 0
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}

Comment 9 Miroslav Grepl 2011-12-13 09:27:01 UTC
(In reply to comment #8)
> Hmmm, now on f16 I don't see this anymore. Or did I do some audit2allow for it
> at some point... How to check if I did? 

Execute in your terminal

# sesearch -A -s dovecot_auth_t -t user_home_dir_t

Comment 10 Ilkka Tengvall 2011-12-13 09:34:04 UTC
thanks, it returns no results. So I assume the issue has disappeared during f15->f16 upgrade.

Comment 11 Michal Hlavinka 2011-12-14 07:40:46 UTC
ok, closing now. If anyone can reproduce this (dovecot_auth_t vs. home_root_t/user_home_t), feel free to reopen.