Bug 835906

Summary: ELinux is preventing /usr/libexec/dovecot/dovecot-lda from 'write' accesses on the file /home/till/Maildir/.X/dovecot-uidlist
Product: [Fedora] Fedora Reporter: Till Maas <opensource>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl, opensource
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-28 19:20:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Till Maas 2012-06-27 13:50:26 UTC 
dovecot with sieve and  ~/Maildir as mail location does not work. Here are some example problem reports:

executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.3-1.fc17.x86_64
time:           Wed 27 Jun 2012 03:45:46 PM CEST

description:
:SELinux is preventing /usr/libexec/dovecot/dovecot-lda from 'write' accesses on the file /home/till/Maildir/.X/dovecot-uidlist.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that dovecot-lda should be allowed write access on the dovecot-uidlist file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep deliver /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:dovecot_deliver_t:s0
:Target Context                unconfined_u:object_r:mail_home_rw_t:s0
:Target Objects                /home/till/Maildir/.X/dovecot-
:                              uidlist [ file ]
:Source                        deliver
:Source Path                   /usr/libexec/dovecot/dovecot-lda
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           dovecot-2.1.7-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC
:                              2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Wed 27 Jun 2012 10:36:27 AM CEST
:Last Seen                     Wed 27 Jun 2012 10:36:27 AM CEST
:Local ID                      d63cc1f8-bc58-426c-bd98-b19b57b0aeaf
:
:Raw Audit Messages
:type=AVC msg=audit(1340786187.549:458): avc:  denied  { write } for  pid=7497 comm="deliver" name="dovecot-uidlist" dev="dm-9" ino=1836786 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1340786187.549:458): arch=x86_64 syscall=open success=yes exit=ECHILD a0=150e780 a1=2 a2=7fff9fd62d60 a3=1 items=0 ppid=7495 pid=7497 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=deliver exe=/usr/libexec/dovecot/dovecot-lda subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)
:
:Hash: deliver,dovecot_deliver_t,mail_home_rw_t,file,write
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

END:

SELinux is preventing /usr/libexec/dovecot/dovecot-lda from write access on the directory /home/till/Maildir/.INBOX/tmp.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that dovecot-lda should be allowed write access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep deliver /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:dovecot_deliver_t:s0
Target Context                unconfined_u:object_r:mail_home_rw_t:s0
Target Objects                /home/till/Maildir/.INBOX/tmp [ dir ]
Source                        deliver
Source Path                   /usr/libexec/dovecot/dovecot-lda
Port                          <Unknown>
Host                          
Source RPM Packages           dovecot-2.1.7-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     
Platform                      Linux 
                              3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC
                              2012 x86_64 x86_64
Alert Count                   123
First Seen                    Wed 27 Jun 2012 08:39:12 AM CEST
Last Seen                     Wed 27 Jun 2012 03:02:52 PM CEST
Local ID                      772a78d3-5d3d-4a64-bc4e-828caf33d257

Raw Audit Messages
type=AVC msg=audit(1340802172.491:531): avc:  denied  { write } for  pid=13104 comm="deliver" name="tmp" dev="dm-9" ino=670220 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir


type=AVC msg=audit(1340802172.491:531): avc:  denied  { add_name } for  pid=13104 comm="deliver" name="XXX" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir


type=AVC msg=audit(1340802172.491:531): avc:  denied  { create } for  pid=13104 comm="deliver" name="XXX" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file


type=SYSCALL msg=audit(1340802172.491:531): arch=x86_64 syscall=open success=yes exit=ECHILD a0=a74320 a1=2c1 a2=1ff a3=746e616c6174612e items=0 ppid=13103 pid=13104 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=deliver exe=/usr/libexec/dovecot/dovecot-lda subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)

Hash: deliver,dovecot_deliver_t,mail_home_rw_t,dir,write

audit2allow

#============= dovecot_deliver_t ==============
#!!!! The source type 'dovecot_deliver_t' can write to a 'dir' of the following types:
# dovecot_deliver_tmp_t, user_home_dir_t, mail_spool_t, tmp_t, user_home_t, data_home_t

allow dovecot_deliver_t mail_home_rw_t:dir { write add_name };
allow dovecot_deliver_t mail_home_rw_t:file create;

audit2allow -R

#============= dovecot_deliver_t ==============
#!!!! The source type 'dovecot_deliver_t' can write to a 'dir' of the following types:
# dovecot_deliver_tmp_t, user_home_dir_t, mail_spool_t, tmp_t, user_home_t, data_home_t

allow dovecot_deliver_t mail_home_rw_t:dir { write add_name };
allow dovecot_deliver_t mail_home_rw_t:file create;
Comment 1 Miroslav Grepl 2012-06-28 11:31:06 UTC 
Please update your policy

# yum update selinux-policy-targeted --enablerepo=updates-testing
Comment 2 Till Maas 2012-06-28 19:20:40 UTC 

*** This bug has been marked as a duplicate of bug 830611 ***