| Summary: | AVC denied for setattr for dovecot_t/dovecot_deliver_t in user_home_dir_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.2 | CC: | cww, dwalsh, jwest, mmalik, robert.scheck |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-27 21:37:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 727267 | ||
We allow dovecot_deliver to manage user home content using userdom_manage_user_home_content_dirs(dovecot_deliver_t) userdom_manage_user_home_content_files(dovecot_deliver_t) userdom_manage_user_home_content_symlinks(dovecot_deliver_t) userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) The problem is the d-deliver tries to set attrs on /home/user_01 dir. Normally, mails are delivered to /home/user_01/Mail or similar (user_home_t), but in our case not, thus it is (user_home_dir_t) where the setattr is tried. Then you need to label /home/user_01 with something different the user_home_dir_t. Have you tried to label it user_home_t? semanage fcontext -a -t user_home_t /home/user_01(/.*)? Does this really make sense or will this cause other issues? Because with your suggestion, I'm overriding the default file contexts. You are overriding the default context for a directory that the system currently thinks is a homedir. I believe this labeling is correct with this change. The risk here is if a user logs into this directory and creates subdirs they might not be labeled the way you would expect. You will need test if it works. I am closing this bug because this is more the special configuration. |
Description of problem: The following AVC denied messages are showing up if Dovecot is configured to put e-mails directly into /home/user_01: type=AVC msg=audit(1326128547.426:35541): avc: denied { setattr } for pid=15768 comm="imap" name="user_01" dev=drbd1 ino=270008321 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1326128547.426:35541): arch=c000003e syscall=92 success=no exit=-13 a0=12544e0 a1=1f4 a2=ffffffff a3=0 items=0 ppid=15746 pid=15768 auid=0 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=2428 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(1326128978.045:35577): avc: denied { setattr } for pid=15949 comm="dovecot-lda" name="user_01" dev=drbd1 ino=270008321 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1326128978.045:35577): arch=c000003e syscall=92 success=no exit=-13 a0=e0dbb0 a1=1f4 a2=ffffffff a3=fffffffb items=0 ppid=15948 pid=15949 auid=0 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=2428 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6_2.4.noarch selinux-policy-targeted-3.7.19-126.el6_2.4.noarch dovecot-2.0.9-2.el6_1.1.x86_64 How reproducible: Everytime, see above and below. Actual results: AVC denied for setattr for dovecot_t/dovecot_deliver_t in user_home_dir_t. Expected results: No AVC denied for the case mentioned above. Additional info: Maybe these exceptions need to go into a dovecot_enable_homedirs boolean?