Bug 836241
Summary: | selinux policy prevents dovecot domains access to mail_home_rw_t (Maildir) | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Tuomo Soini <tis> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6.3 | CC: | dominick.grift, dwalsh, ebenes, galens, mgrepl, mmalik, mtruneck, Per.t.Sjoholm, scott-fedora, tis, vchepkov | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | 830611 | Environment: | |||||
Last Closed: | 2013-02-21 08:24:52 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Tuomo Soini
2012-06-28 13:11:49 UTC
Buggy policy was backported to rhel-6.3 - same fix is needed. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Created attachment 597365 [details]
Backport of the fix for the issue.
I'd strongly request Z-stream fix for the issue - this problem breaks dovecot delivery to Maildir format mailboxes totally when system is enforced.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. Fixed in selinux-policy-3.7.19-156 While running dovecot as LDA delivering mail into ~/Maildir, following AVCs were reported. These are AVCs from permissive mode, so no more than getattr operation is needed. ---- time->Thu Sep 20 13:45:19 2012 type=PATH msg=audit(1348141519.305:455): item=0 name="/root" inode=19 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0 type=CWD msg=audit(1348141519.305:455): cwd="/var/spool/postfix" type=SYSCALL msg=audit(1348141519.305:455): arch=c000003e syscall=4 success=yes exit=0 a0=fca520 a1=7fff2b72f430 a2=7fff2b72f430 a3=7fff2b72f0f0 items=1 ppid=22855 pid=22857 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null) type=AVC msg=audit(1348141519.305:455): avc: denied { getattr } for pid=22857 comm="dovecot-lda" path="/root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir ---- time->Thu Sep 20 13:45:23 2012 type=PATH msg=audit(1348141523.755:458): item=0 name="/root" inode=19 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0 type=CWD msg=audit(1348141523.755:458): cwd="/var/spool/postfix" type=SYSCALL msg=audit(1348141523.755:458): arch=c000003e syscall=4 success=yes exit=0 a0=1077520 a1=7fff702ca160 a2=7fff702ca160 a3=7fff702c9e20 items=1 ppid=22878 pid=22932 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null) type=AVC msg=audit(1348141523.755:458): avc: denied { getattr } for pid=22932 comm="dovecot-lda" path="/root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Version of selinux policy: selinux-policy-3.7.19-162.el6.noarch selinux-policy-targeted-3.7.19-162.el6.noarch selinux-policy-mls-3.7.19-162.el6.noarch # matchpathcon /root /root system_u:object_r:admin_home_t:s0 This is another AVC: ---- time->Thu Sep 20 14:14:19 2012 type=PATH msg=audit(1348143259.513:686): item=0 name="/root" inode=19 dev=fd:00 mode=040551 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0 type=CWD msg=audit(1348143259.513:686): cwd="/var/spool/postfix" type=SYSCALL msg=audit(1348143259.513:686): arch=c000003e syscall=80 success=yes exit=0 a0=e1aa31 a1=7f65b9f143f0 a2=0 a3=7fffd929c1b0 items=1 ppid=1590 pid=1592 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null) type=AVC msg=audit(1348143259.513:686): avc: denied { search } for pid=1592 comm="dovecot-lda" name="root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir So you intend to deliver mail to /root/Maildir I especially did not include possibility for that in my patch. If that is wanted I'd add boolean for it. No we can allow it. I have added a fix for F18. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |