Bug 830611
Summary: | selinux policy prevents dovecot domains access to mail_home_rw_t (Maildir) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Scott Shambarger <scott-fedora> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl, opensource, tis | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 836241 (view as bug list) | Environment: | |||||
Last Closed: | 2012-06-30 21:51:14 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Scott Shambarger
2012-06-10 23:54:38 UTC
This is fixed in F18. Fixing also in F17. Fixed in selinux-policy-3.10.0-130.fc17 selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17 Installed and tested -130, but problem is still present. I see from the source file that mta_read_home_rw() is set for dovecot_t and dovecot_deliver_t, but these only allow read access from those domains. dovecot allows message move, delete, index creation, even directory creation (and supports reading symlinks for mailbox aliases, although not creating them). Example denials that remain: avc: denied { write } for pid=6009 comm="imap" name="dovecot.index.log" dev="dm-3" ino=6422913 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=file avc: denied { rename } for pid=6009 comm="imap" name="1339449041.M782844P6009.shambarger.net" dev="dm-3" ino=6450101 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file avc: denied { read } for pid=5985 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file So dovecot does require the 3 entries (or their equivalent) in the bug description above. Please let me know if there's another configuration option (perhaps a boolean) that I'm missing to permit dovecot r/w access to the Maildir directory :) Ok, so it needs r/w. Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback). See comment 3, selinux-policy-3.10.0-130 still does not permit r/w access -- the 3 line fix in the bug description is all that's required :) selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Bug has not been solved (for reasons listed above). Should not be closed until resolved. Fixed in selinux-policy-3.10.0-131.fc17 selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17 Tried selinux-policy-3.10.0-132, and dovecot_deliver_t still doesn't have Read/Write access to mail_home_rw_t... And neither dovecot_t nor dovecot_deliver_t have read access to symlinks. From audit2allow: #============= dovecot_deliver_t ============== allow dovecot_deliver_t mail_home_rw_t:dir { write remove_name read add_name }; allow dovecot_deliver_t mail_home_rw_t:file { write rename create unlink setattr }; allow dovecot_deliver_t mail_home_rw_t:lnk_file read; #============= dovecot_t ============== allow dovecot_t mail_home_rw_t:lnk_file read; I've checked the source package, and will attach a patch for policy/modules/services/dovecot.te Created attachment 593070 [details]
Patch to policy/modules/services/dovecot.te
Note: in patch I removed mta_read_home_rw(dovecot_t) as it's a subset of the already included mta_manage_home_rw(dovecot_t) Miroslav please back port cffaac2f88d8d771da6d8b0262678201f67b68f4 selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. As listed above, still not fixed in 3.10.0-132 Yes, the problem is I did not remove this bug from the update system. Fixed in 3.10.0-133 3.10.0-133 appears to fix the problem! Tested all my problem cases, and no denials appeared. :) Thanks! Scott selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17 Package selinux-policy-3.10.0-134.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17 then log in and leave karma (feedback). *** Bug 835906 has been marked as a duplicate of this bug. *** selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |