Bug 733591
| Summary: | selinux prevents dovecot from accessing /home | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ilkka Tengvall <ikke> |
| Component: | dovecot | Assignee: | Michal Hlavinka <mhlavink> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mcepl, mcepl, mgrepl, mhlavink, pcfe |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-14 07:40:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Are you actually seeing anything break? We currently allow dovecot_deliver full access to the homedir. /usr/lib/dovecot/deliver Not sure auth needs this access , but I have no problem allowing it? Does it need to read files here? It needs to read files there, since that's where the mails are. I access to read those mails via IMAP, dovecot doing the read and delivery over IMAP. There are couple weirdnesses within dovecot in fedora. I don't know exactly why these weirdnesses happen, but I thought if I would get rid of the selinux blocking anything it might help. 1. dovecot always fails to start after boot. Starts fine if started manually later 2. thunderbird only shows that there are new mails in my Maildir, but doesn't show the mails only after I access the box once, get back to other imap and re-access the box. I know this is outside of this bug's scope, but I layed them here since you asked if I have any problems. So I'm not convinced SElinux is the cause of this, but these are about the only selinux alerts I get in my system. Michal, does /usr/libexec/dovecot/auth need the same access as /usr/lib/dovecot/deliver to the homedir? Just to confirm that I see the same with dovecot-2.0.9-2.el6_1.1.x86_64 and selinux-policy-targeted-3.7.19-113.el6.noarch on RHEL 6.2 with this dovecot configuration
mitmanek:build $ dovecot -n|grep -v \#
listen = 127.0.0.1
mail_location = maildir:~/.mail/
mbox_write_locks = fcntl
passdb {
driver = pam
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
mitmanek:build $
For sake of completness sealert's message.
SELinux is preventing /usr/libexec/dovecot/imap from getattr access on the blk_file /home/matej/.mail/.INBOX.NEU.buckle/tmp.
Additional Information:
Kontext zdroje unconfined_u:system_r:dovecot_t:s0
Kontext cíle system_u:object_r:user_home_t:s0
Objekty cíle /home/matej/.mail/.INBOX.NEU.buckle/tmp [ blk_file
]
Zdroj imap
Cesta zdroje /usr/libexec/dovecot/imap
Port <Neznámé>
Počítač mitmanek.ceplovi.cz
RPM balíčky zdroje dovecot-2.0.9-2.el6_1.1
RPM balíčky cíle
RPM politiky selinux-policy-3.7.19-113.el6
Selinux povolen True
Typ politiky targeted
Vynucovací režim Enforcing
Název počítače mitmanek.ceplovi.cz
Platforma Linux mitmanek.ceplovi.cz 2.6.32-206.el6.x86_64 #1
SMP Tue Oct 4 11:51:32 EDT 2011 x86_64 x86_64
Počet upozornění 4
Poprvé viděno Ne 9. říjen 2011, 17:47:51 CEST
Naposledy viděno Ne 9. říjen 2011, 18:00:46 CEST
Místní ID c831079b-d51d-47d6-8c5d-984d4605f6c0
Původní zprávy auditu
type=AVC msg=audit(1318176046.297:17419): avc: denied { getattr } for pid=18275 comm="imap" path="/home/matej/.mail/.INBOX.NEU.buckle/tmp" dev=dm-8 ino=5795798 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1318176046.297:17419): arch=x86_64 syscall=stat success=no exit=EACCES a0=1d92328 a1=7fff99b4c250 a2=7fff99b4c250 a3=69616d2e2f6a6574 items=0 ppid=3611 pid=18275 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=imap exe=/usr/libexec/dovecot/imap subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
Hash: imap,dovecot_t,user_home_t,blk_file,getattr
audit2allow
#============= dovecot_t ==============
allow dovecot_t user_home_t:blk_file getattr;
audit2allow -R
#============= dovecot_t ==============
allow dovecot_t user_home_t:blk_file getattr;
(In reply to comment #3) > Michal, > does /usr/libexec/dovecot/auth need the same access as /usr/lib/dovecot/deliver > to the homedir? Michal? I'm not able to reproduce this. Ilkka, what is your output of doveconf -n Matej: Your selinux denial is completely different. In your case, dovecot needs that access for sure. Hmmm, now on f16 I don't see this anymore. Or did I do some audit2allow for it at some point... How to check if I did? anyways, here's the doveconf -n:
# 2.0.15: /etc/dovecot/dovecot.conf
doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:21: 'imaps' protocol is no longer supported. to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:21: 'pop3s' protocol is no longer supported. to disable non-ssl pop3, use service pop3-login { inet_listener pop3 { port=0 } }
# OS: Linux 3.1.4-1.fc16.x86_64 x86_64 Fedora release 16 (Verne)
mbox_write_locks = fcntl
passdb {
driver = pam
}
protocols = lmtp imap pop3
service imap-login {
inet_listener imap {
port = 0
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
(In reply to comment #8) > Hmmm, now on f16 I don't see this anymore. Or did I do some audit2allow for it > at some point... How to check if I did? Execute in your terminal # sesearch -A -s dovecot_auth_t -t user_home_dir_t thanks, it returns no results. So I assume the issue has disappeared during f15->f16 upgrade. ok, closing now. If anyone can reproduce this (dovecot_auth_t vs. home_root_t/user_home_t), feel free to reopen. |
Description of problem: My IMAP server causes selinux alerts I suppose when trying to access ~/Maildir. There should be a policy to allow dovecot to access user homes/Maildir at least. Version-Release number of selected component (if applicable): selinux-policy-3.9.16-35.fc15.noarch dovecot-2.0.13-1.fc15.x86_64 How reproducible: at every time you access the IMAP folders in ~/Maildir Steps to Reproduce: 1. sudo service dovecot restart 2. access your imap share using ~/Maildir 3. Actual results: See additional info for sealert Expected results: no sealert Additional info: Here is couple of the sealerts, I first did the new policy as instructed in the first one, that lead to the second one. Addint that one too fixed the complaint. #################################################################### SELinux is preventing /usr/libexec/dovecot/auth from search access on the directory /home. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that auth should be allowed search access on the home directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep auth /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dovecot_auth_t:s0 Target Context system_u:object_r:home_root_t:s0 Target Objects /home [ dir ] Source auth Source Path /usr/libexec/dovecot/auth Port <Unknown> Host whipper.mobile.fp.nsn-rdnet.net Source RPM Packages dovecot-2.0.13-1.fc15 Target RPM Packages filesystem-2.4.41-1.fc15 Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name whipper.mobile.fp.nsn-rdnet.net Platform Linux whipper.mobile.fp.nsn-rdnet.net 2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05 UTC 2011 x86_64 x86_64 Alert Count 51 First Seen Wed 17 Aug 2011 10:27:09 PM EEST Last Seen Fri 26 Aug 2011 08:54:02 AM EEST Local ID 35a81152-ddae-4268-b21b-7701feb1fabb Raw Audit Messages type=AVC msg=audit(1314338042.838:29019): avc: denied { search } for pid=26527 comm="auth" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1314338042.838:29019): arch=x86_64 syscall=access success=no exit=EACCES a0=1918570 a1=0 a2=0 a3=1 items=0 ppid=26465 pid=26527 auid=4294967295 uid=10066861 gid=500 euid=10066861 suid=10066861 fsuid=10066861 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm=auth exe=/usr/libexec/dovecot/auth subj=system_u:system_r:dovecot_auth_t:s0 key=(null) Hash: auth,dovecot_auth_t,home_root_t,dir,search audit2allow #============= dovecot_auth_t ============== allow dovecot_auth_t home_root_t:dir search; audit2allow -R #============= dovecot_auth_t ============== allow dovecot_auth_t home_root_t:dir search; ############################################################################ SELinux is preventing /usr/libexec/dovecot/auth from search access on the directory /home/itengval. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that auth should be allowed search access on the itengval directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep auth /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dovecot_auth_t:s0 Target Context system_u:object_r:user_home_dir_t:s0 Target Objects /home/itengval [ dir ] Source auth Source Path /usr/libexec/dovecot/auth Port <Unknown> Host whipper.mobile.fp.nsn-rdnet.net Source RPM Packages dovecot-2.0.13-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name whipper.mobile.fp.nsn-rdnet.net Platform Linux whipper.mobile.fp.nsn-rdnet.net 2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Fri 26 Aug 2011 09:46:03 AM EEST Last Seen Fri 26 Aug 2011 09:46:16 AM EEST Local ID d7baa84c-8808-40e3-87dd-476999b4fb54 Raw Audit Messages type=AVC msg=audit(1314341176.835:29422): avc: denied { search } for pid=29981 comm="auth" name="itengval" dev=dm-0 ino=55316 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1314341176.835:29422): arch=x86_64 syscall=access success=no exit=EACCES a0=b0b560 a1=0 a2=0 a3=1 items=0 ppid=29951 pid=29981 auid=4294967295 uid=10066861 gid=500 euid=10066861 suid=10066861 fsuid=10066861 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm=auth exe=/usr/libexec/dovecot/auth subj=system_u:system_r:dovecot_auth_t:s0 key=(null) Hash: auth,dovecot_auth_t,user_home_dir_t,dir,search audit2allow #============= dovecot_auth_t ============== allow dovecot_auth_t user_home_dir_t:dir search; audit2allow -R #============= dovecot_auth_t ============== allow dovecot_auth_t user_home_dir_t:dir search;