Bug 733591
Summary: | selinux prevents dovecot from accessing /home | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ilkka Tengvall <ikke> |
Component: | dovecot | Assignee: | Michal Hlavinka <mhlavink> |
Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | dominick.grift, dwalsh, mcepl, mcepl, mgrepl, mhlavink, pcfe |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-14 07:40:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ilkka Tengvall
2011-08-26 06:50:15 UTC
Are you actually seeing anything break? We currently allow dovecot_deliver full access to the homedir. /usr/lib/dovecot/deliver Not sure auth needs this access , but I have no problem allowing it? Does it need to read files here? It needs to read files there, since that's where the mails are. I access to read those mails via IMAP, dovecot doing the read and delivery over IMAP. There are couple weirdnesses within dovecot in fedora. I don't know exactly why these weirdnesses happen, but I thought if I would get rid of the selinux blocking anything it might help. 1. dovecot always fails to start after boot. Starts fine if started manually later 2. thunderbird only shows that there are new mails in my Maildir, but doesn't show the mails only after I access the box once, get back to other imap and re-access the box. I know this is outside of this bug's scope, but I layed them here since you asked if I have any problems. So I'm not convinced SElinux is the cause of this, but these are about the only selinux alerts I get in my system. Michal, does /usr/libexec/dovecot/auth need the same access as /usr/lib/dovecot/deliver to the homedir? Just to confirm that I see the same with dovecot-2.0.9-2.el6_1.1.x86_64 and selinux-policy-targeted-3.7.19-113.el6.noarch on RHEL 6.2 with this dovecot configuration mitmanek:build $ dovecot -n|grep -v \# listen = 127.0.0.1 mail_location = maildir:~/.mail/ mbox_write_locks = fcntl passdb { driver = pam } ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd } mitmanek:build $ For sake of completness sealert's message. SELinux is preventing /usr/libexec/dovecot/imap from getattr access on the blk_file /home/matej/.mail/.INBOX.NEU.buckle/tmp. Additional Information: Kontext zdroje unconfined_u:system_r:dovecot_t:s0 Kontext cíle system_u:object_r:user_home_t:s0 Objekty cíle /home/matej/.mail/.INBOX.NEU.buckle/tmp [ blk_file ] Zdroj imap Cesta zdroje /usr/libexec/dovecot/imap Port <Neznámé> Počítač mitmanek.ceplovi.cz RPM balíčky zdroje dovecot-2.0.9-2.el6_1.1 RPM balíčky cíle RPM politiky selinux-policy-3.7.19-113.el6 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název počítače mitmanek.ceplovi.cz Platforma Linux mitmanek.ceplovi.cz 2.6.32-206.el6.x86_64 #1 SMP Tue Oct 4 11:51:32 EDT 2011 x86_64 x86_64 Počet upozornění 4 Poprvé viděno Ne 9. říjen 2011, 17:47:51 CEST Naposledy viděno Ne 9. říjen 2011, 18:00:46 CEST Místní ID c831079b-d51d-47d6-8c5d-984d4605f6c0 Původní zprávy auditu type=AVC msg=audit(1318176046.297:17419): avc: denied { getattr } for pid=18275 comm="imap" path="/home/matej/.mail/.INBOX.NEU.buckle/tmp" dev=dm-8 ino=5795798 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=blk_file type=SYSCALL msg=audit(1318176046.297:17419): arch=x86_64 syscall=stat success=no exit=EACCES a0=1d92328 a1=7fff99b4c250 a2=7fff99b4c250 a3=69616d2e2f6a6574 items=0 ppid=3611 pid=18275 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=imap exe=/usr/libexec/dovecot/imap subj=unconfined_u:system_r:dovecot_t:s0 key=(null) Hash: imap,dovecot_t,user_home_t,blk_file,getattr audit2allow #============= dovecot_t ============== allow dovecot_t user_home_t:blk_file getattr; audit2allow -R #============= dovecot_t ============== allow dovecot_t user_home_t:blk_file getattr; (In reply to comment #3) > Michal, > does /usr/libexec/dovecot/auth need the same access as /usr/lib/dovecot/deliver > to the homedir? Michal? I'm not able to reproduce this. Ilkka, what is your output of doveconf -n Matej: Your selinux denial is completely different. In your case, dovecot needs that access for sure. Hmmm, now on f16 I don't see this anymore. Or did I do some audit2allow for it at some point... How to check if I did? anyways, here's the doveconf -n: # 2.0.15: /etc/dovecot/dovecot.conf doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:21: 'imaps' protocol is no longer supported. to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } } doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:21: 'pop3s' protocol is no longer supported. to disable non-ssl pop3, use service pop3-login { inet_listener pop3 { port=0 } } # OS: Linux 3.1.4-1.fc16.x86_64 x86_64 Fedora release 16 (Verne) mbox_write_locks = fcntl passdb { driver = pam } protocols = lmtp imap pop3 service imap-login { inet_listener imap { port = 0 } } service pop3-login { inet_listener pop3 { port = 0 } } ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd } (In reply to comment #8) > Hmmm, now on f16 I don't see this anymore. Or did I do some audit2allow for it > at some point... How to check if I did? Execute in your terminal # sesearch -A -s dovecot_auth_t -t user_home_dir_t thanks, it returns no results. So I assume the issue has disappeared during f15->f16 upgrade. ok, closing now. If anyone can reproduce this (dovecot_auth_t vs. home_root_t/user_home_t), feel free to reopen. |