| Summary: | SELinux and dovecot's attempt access to conf. files. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Sergey Korchak <jackaloff> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, mhlavink | ||||
| Target Milestone: | --- | Flags: | mgrepl:
needinfo?
(jackaloff) |
||||
| Target Release: | --- | ||||||
| Hardware: | i686 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
SELinux is preventing / usr / bin / doveadm from getattr access on the directory / etc / dovecot.
***** Plugin catchall (100. Confidence) suggests ***************************
If you believe that doveadm should be allowed getattr access on the dovecot directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# Grep doveadm / var / log / audit / audit.log | audit2allow-M mypol
# Semodule-i mypol.pp
Additional Information:
Source Context system_u: system_r: httpd_sys_script_t: s0
Target Context system_u: object_r: dovecot_etc_t: s0
Targets / etc / dovecot [dir]
Source doveadm
Source path / usr / bin / doveadm
Port <Unknown>
Node gamma.localdomain
Source package RPM dovecot-2.0.13-1.fc14
Target packages RPM dovecot-2.0.13-1.fc14
RPM policy selinux-policy-3.9.7-44.fc14
SELinux is active True
Policy Type targeted
Forced Mode Enforcing
Site Name gamma.localdomain
Platform Linux gamma.localdomain 2.6.35.14-95.fc14.i686 # 1
SMP Tue Aug 16 21:30:14 UTC 2011 i686 i686
Counter notifications 1
First seen on Tuesday September 6 2011 1:29:47
Last seen on Tuesday September 6 2011 1:29:47
Local ID f7aa686a-8fbe-4b93-838b-df673c67dd4d
The raw audit messages
type = AVC msg = audit (1315261787.325:35608): avc: denied {getattr} for pid = 3491 comm = "doveadm" path = "/ etc / dovecot" dev = dm-0 ino = 5768844 scontext = system_u: system_r: httpd_sys_script_t : s0 tcontext = system_u: object_r: dovecot_etc_t: s0 tclass = dir
type = SYSCALL msg = audit (1315261787.325:35608): arch = i386 syscall = stat64 success = no exit = EACCES a0 = 900c1c0 a1 = bfea12b0 a2 = 350ff4 a3 = 46b056 items = 0 ppid = 2341 pid = 3491 auid = 4294967295 uid = 48 gid = 48 euid = suid = 48 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty = (none) ses = 4294967295 comm = doveadm exe = / usr / bin / doveadm subj = system_u: system_r: httpd_sys_script_t: s0 key = (null)
Hash: doveadm, httpd_sys_script_t, dovecot_etc_t, dir, getattr
audit2allow
#============= Httpd_sys_script_t ==============
allow httpd_sys_script_t dovecot_etc_t: dir getattr;
audit2allow-R
#============= Httpd_sys_script_t ==============
allow httpd_sys_script_t dovecot_etc_t: dir getattr;
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-10-24 18:10:07 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
SELinux is preventing / usr / bin / doveadm from getattr access on the directory / etc / dovecot.
***** Plugin catchall (100. Confidence) suggests ***************************
If you believe that doveadm should be allowed getattr access on the dovecot directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# Grep doveadm / var / log / audit / audit.log | audit2allow-M mypol
# Semodule-i mypol.pp
Additional Information:
Source Context system_u: system_r: httpd_sys_script_t: s0
Target Context system_u: object_r: dovecot_etc_t: s0
Targets / etc / dovecot [dir]
Source doveadm
Source path / usr / bin / doveadm
Port <Unknown>
Node gamma.localdomain
Source package RPM dovecot-2.0.13-1.fc14
Target packages RPM dovecot-2.0.13-1.fc14
RPM policy selinux-policy-3.9.7-44.fc14
SELinux is active True
Policy Type targeted
Forced Mode Enforcing
Site Name gamma.localdomain
Platform Linux gamma.localdomain 2.6.35.14-95.fc14.i686 # 1
SMP Tue Aug 16 21:30:14 UTC 2011 i686 i686
Counter notifications 1
First seen on Tuesday September 6 2011 1:29:47
Last seen on Tuesday September 6 2011 1:29:47
Local ID f7aa686a-8fbe-4b93-838b-df673c67dd4d
The raw audit messages
type = AVC msg = audit (1315261787.325:35608): avc: denied {getattr} for pid = 3491 comm = "doveadm" path = "/ etc / dovecot" dev = dm-0 ino = 5768844 scontext = system_u: system_r: httpd_sys_script_t : s0 tcontext = system_u: object_r: dovecot_etc_t: s0 tclass = dir
type = SYSCALL msg = audit (1315261787.325:35608): arch = i386 syscall = stat64 success = no exit = EACCES a0 = 900c1c0 a1 = bfea12b0 a2 = 350ff4 a3 = 46b056 items = 0 ppid = 2341 pid = 3491 auid = 4294967295 uid = 48 gid = 48 euid = suid = 48 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty = (none) ses = 4294967295 comm = doveadm exe = / usr / bin / doveadm subj = system_u: system_r: httpd_sys_script_t: s0 key = (null)
Hash: doveadm, httpd_sys_script_t, dovecot_etc_t, dir, getattr
audit2allow
#============= Httpd_sys_script_t ==============
allow httpd_sys_script_t dovecot_etc_t: dir getattr;
audit2allow-R
#============= Httpd_sys_script_t ==============
allow httpd_sys_script_t dovecot_etc_t: dir getattr;
Looks like we need to add a new policy for postfixadmin. Which is path to scripts? Miroslav: looking at postfixadmin rpm from sourceforge, php scripts are located at /srv/www/htdocs/postfixadmin Sergey, could you test it with permissive mode for httpd_sys_script_t $ semanage permissive -a httpd_sys_script_t re-test it $ ausearch -m avc -ts recent and attach AVC msgs. This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 |
Created attachment 521550 [details] bug's files Description of problem: I have installed postfixdmin from project site. When postfixadmin tryes to execute doveadm i got error kinda "can't encrypt password with dovecotpw" and SELinux tree alerts. After this tried to solve it as SETroublesoot recommends (# grep doveadm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp) but this did not helps. Version-Release number of selected component (if applicable): [root@gamma korchak]# uname -a Linux gamma.localdomain 2.6.35.14-95.fc14.i686 #1 SMP Tue Aug 16 21:30:14 UTC 2011 i686 i686 i386 GNU/Linux [root@gamma korchak]# dovecot --version 2.0.13 All last updates installed. How reproducible: install postfixadmin and use davecot with davecot's auth. Try to fix SEAlert message after posfixadmin run. Steps to Reproduce: 1. 2. 3. Actual results: Deny to run doveadm util within apache. Expected results: Additional info: