Bug 749690

Summary: dovecot denials
Product: Red Hat Enterprise Linux 6 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, mhlavink, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-122.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:20:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Orion Poplawski 2011-10-27 22:39:03 UTC 
Description of problem:

Testing out dovecot on EL6.1, seeing:

type=AVC msg=audit(1319755026.871:90): avc:  denied  { sys_nice } for  pid=2602 comm="auth" capability=23  scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1319755026.871:90): avc:  denied  { setsched } for  pid=2602 comm="auth" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6_1.7.noarch


Seems to happen when a user logs in.  Doesn't appear to affect anything.
Comment 2 Daniel Walsh 2011-10-28 13:34:50 UTC 
cat /usr/include/linux/capability.h
...
/* Allow raising priority and setting priority on other (different
   UID) processes */
/* Allow use of FIFO and round-robin (realtime) scheduling on own
   processes and setting the scheduling algorithm used by another
   process. */
/* Allow setting cpu affinity on other processes */

#define CAP_SYS_NICE         23

Looks liked dovecot_auth_t is changing #2
/* Allow use of FIFO and round-robin (realtime) scheduling on own
   processes and setting the scheduling algorithm used by another
   process. */

I just added this to F16 policy.  Strange that we have never seen this before.  Has there been a new release of dovecot?
Comment 3 Orion Poplawski 2011-10-28 14:34:49 UTC 
Not recently:

* Thu Jan 13 2011 Michal Hlavinka <mhlavink> - 1:2.0.9-1
- dovecot updated to 2.0.9

* Thu Jan 13 2011 Michal Hlavinka <mhlavink> - 1:2.0.8-1
- dovecot updated to 2.0.8 (fixes #654226), pigeonhole updated to 0.2.2

Not sure when it got pushed out though.
Comment 6 Miroslav Grepl 2011-11-02 11:49:51 UTC 
Fixed in  selinux-policy-3.7.19-122.el6
Comment 9 errata-xmlrpc 2011-12-06 10:20:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html