Bug 836241

Summary: selinux policy prevents dovecot domains access to mail_home_rw_t (Maildir)
Product: Red Hat Enterprise Linux 6 Reporter: Tuomo Soini <tis>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: dominick.grift, dwalsh, ebenes, galens, mgrepl, mmalik, mtruneck, Per.t.Sjoholm, scott-fedora, tis, vchepkov
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 830611 Environment:
Last Closed: 2013-02-21 08:24:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Backport of the fix for the issue. none

Description Tuomo Soini 2012-06-28 13:11:49 UTC 
+++ This bug was initially created as a clone of Bug #830611 +++

Description of problem:
dovecot-imap and dovecot-lda are not allowed access to Maildir files/directories once they've been labeled mail_home_rw_t (via current targeted/contexts/files/file_contexts)

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-129.fc17

How reproducible:
Always with selinux enabled

Steps to Reproduce:
1. run restorecon -r /home with selinux enabled
2. configure dovecot with "mail_location = maildir:~/Maildir"
3. enable/start dovecot.service
4. attempt to access/modify a users mailbox
5. enable 
5. access is denied

Actual results:
Example denials...

avc:  denied  { open } for  pid=26649 comm="imap" name="dovecot.index.log" dev="dm-3" ino=5768536 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file

avc:  denied  { getattr } for  pid=26666 comm="dovecot-lda" path="/home/scott/Maildir" dev="dm-3" ino=6029316 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir

avc:  denied  { read } for  pid=27907 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file
Expected results:

Access should be allowed.

Additional info:
I read through the source policy, and there appear to be missing entries in services/dovecot.te.  I added the following to a custom module, and once loaded the above denials disappeared:

#======temp fix: dovecot-lda can't manage mail_home_rw_t=====
mta_mailserver_delivery(dovecot_deliver_t)
#======temp fix: imap can't manage mail_home_rw_t=====
mta_mailserver_delivery(dovecot_t)
#====temp fix: symlinks can't be read in Maildir=====
read_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)

I've tried the latest selinux policy from Koji (-129 atm), and the above workaround is still required or the denials above are still encountered.

--- Additional comment from mgrepl on 2012-06-11 05:24:12 EDT ---

This is fixed in F18. Fixing also in F17.

Fixed in selinux-policy-3.10.0-130.fc17

--- Additional comment from updates on 2012-06-11 17:02:26 EDT ---

selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17

--- Additional comment from scott-redhat on 2012-06-11 17:26:00 EDT ---

Installed and tested -130, but problem is still present.

I see from the source file that mta_read_home_rw() is set for dovecot_t and dovecot_deliver_t, but these only allow read access from those domains.

dovecot allows message move, delete, index creation, even directory creation (and supports reading symlinks for mailbox aliases, although not creating them).

Example denials that remain:

avc:  denied  { write } for  pid=6009 comm="imap" name="dovecot.index.log" dev="dm-3" ino=6422913 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=file

avc:  denied  { rename } for  pid=6009 comm="imap" name="1339449041.M782844P6009.shambarger.net" dev="dm-3" ino=6450101 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file

avc:  denied  { read } for  pid=5985 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file

So dovecot does require the 3 entries (or their equivalent) in the bug description above.  Please let me know if there's another configuration option (perhaps a boolean) that I'm missing to permit dovecot r/w access to the Maildir directory :)

--- Additional comment from mgrepl on 2012-06-12 07:46:47 EDT ---

Ok, so it needs r/w.

--- Additional comment from updates on 2012-06-15 19:59:24 EDT ---

Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).

--- Additional comment from scott-redhat on 2012-06-16 16:35:51 EDT ---

See comment 3, selinux-policy-3.10.0-130 still does not permit r/w access -- the 3 line fix in the bug description is all that's required :)

--- Additional comment from updates on 2012-06-16 20:04:23 EDT ---

selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from scott-redhat on 2012-06-17 05:10:29 EDT ---

Bug has not been solved (for reasons listed above).  Should not be closed until resolved.

--- Additional comment from mgrepl on 2012-06-18 12:23:18 EDT ---

Fixed in selinux-policy-3.10.0-131.fc17

--- Additional comment from updates on 2012-06-19 03:58:13 EDT ---

selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17

--- Additional comment from scott-redhat on 2012-06-19 17:03:25 EDT ---

Tried selinux-policy-3.10.0-132, and dovecot_deliver_t still doesn't have Read/Write access to mail_home_rw_t... And neither dovecot_t nor dovecot_deliver_t have read access to symlinks.  From audit2allow:

#============= dovecot_deliver_t ==============
allow dovecot_deliver_t mail_home_rw_t:dir { write remove_name read add_name };
allow dovecot_deliver_t mail_home_rw_t:file { write rename create unlink setattr };
allow dovecot_deliver_t mail_home_rw_t:lnk_file read;

#============= dovecot_t ==============
allow dovecot_t mail_home_rw_t:lnk_file read;

I've checked the source package, and will attach a patch for policy/modules/services/dovecot.te

--- Additional comment from scott-redhat on 2012-06-19 17:04:08 EDT ---

Created attachment 593070 [details]
Patch to policy/modules/services/dovecot.te

--- Additional comment from scott-redhat on 2012-06-19 17:06:16 EDT ---

Note: in patch I removed mta_read_home_rw(dovecot_t) as it's a subset of the already included mta_manage_home_rw(dovecot_t)

--- Additional comment from dwalsh on 2012-06-19 17:17:03 EDT ---

Miroslav please back port cffaac2f88d8d771da6d8b0262678201f67b68f4

--- Additional comment from updates on 2012-06-19 20:28:37 EDT ---

selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from scott-redhat on 2012-06-19 22:52:46 EDT ---

As listed above, still not fixed in 3.10.0-132

--- Additional comment from mgrepl on 2012-06-20 04:24:42 EDT ---

Yes, the problem is I did not remove this bug from the update system.

Fixed in 3.10.0-133

--- Additional comment from scott-redhat on 2012-06-22 20:04:16 EDT ---

3.10.0-133 appears to fix the problem!  Tested all my problem cases, and no denials appeared. :)

Thanks!
Scott

--- Additional comment from updates on 2012-06-26 17:47:28 EDT ---

selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17

--- Additional comment from updates on 2012-06-27 23:37:16 EDT ---

Package selinux-policy-3.10.0-134.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17
then log in and leave karma (feedback).
Comment 1 Tuomo Soini 2012-06-28 13:12:31 UTC 
Buggy policy was backported to rhel-6.3 - same fix is needed.
Comment 3 RHEL Program Management 2012-07-10 06:31:32 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 Tuomo Soini 2012-07-10 15:01:11 UTC 
Created attachment 597365 [details]
Backport of the fix for the issue.

I'd strongly request Z-stream fix for the issue - this problem breaks dovecot delivery to Maildir format mailboxes totally when system is enforced.
Comment 5 RHEL Program Management 2012-07-11 01:57:20 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 6 Miroslav Grepl 2012-07-17 10:37:56 UTC 
Fixed in selinux-policy-3.7.19-156
Comment 7 Michal Trunecka 2012-09-20 11:51:41 UTC 
While running dovecot as LDA delivering mail into ~/Maildir, following AVCs were reported. These are AVCs from permissive mode, so no more than getattr operation is needed.

----
time->Thu Sep 20 13:45:19 2012
type=PATH msg=audit(1348141519.305:455): item=0 name="/root" inode=19 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=CWD msg=audit(1348141519.305:455):  cwd="/var/spool/postfix"
type=SYSCALL msg=audit(1348141519.305:455): arch=c000003e syscall=4 success=yes exit=0 a0=fca520 a1=7fff2b72f430 a2=7fff2b72f430 a3=7fff2b72f0f0 items=1 ppid=22855 pid=22857 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null)
type=AVC msg=audit(1348141519.305:455): avc:  denied  { getattr } for  pid=22857 comm="dovecot-lda" path="/root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Thu Sep 20 13:45:23 2012
type=PATH msg=audit(1348141523.755:458): item=0 name="/root" inode=19 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=CWD msg=audit(1348141523.755:458):  cwd="/var/spool/postfix"
type=SYSCALL msg=audit(1348141523.755:458): arch=c000003e syscall=4 success=yes exit=0 a0=1077520 a1=7fff702ca160 a2=7fff702ca160 a3=7fff702c9e20 items=1 ppid=22878 pid=22932 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null)
type=AVC msg=audit(1348141523.755:458): avc:  denied  { getattr } for  pid=22932 comm="dovecot-lda" path="/root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

Version of selinux policy:
selinux-policy-3.7.19-162.el6.noarch
selinux-policy-targeted-3.7.19-162.el6.noarch
selinux-policy-mls-3.7.19-162.el6.noarch

# matchpathcon /root
/root	system_u:object_r:admin_home_t:s0
Comment 8 Michal Trunecka 2012-09-20 12:16:40 UTC 
This is another AVC:

----
time->Thu Sep 20 14:14:19 2012
type=PATH msg=audit(1348143259.513:686): item=0 name="/root" inode=19 dev=fd:00 mode=040551 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=CWD msg=audit(1348143259.513:686):  cwd="/var/spool/postfix"
type=SYSCALL msg=audit(1348143259.513:686): arch=c000003e syscall=80 success=yes exit=0 a0=e1aa31 a1=7f65b9f143f0 a2=0 a3=7fffd929c1b0 items=1 ppid=1590 pid=1592 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null)
type=AVC msg=audit(1348143259.513:686): avc:  denied  { search } for  pid=1592 comm="dovecot-lda" name="root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Comment 9 Daniel Walsh 2012-09-28 10:30:28 UTC 
So you intend to deliver mail to /root/Maildir
Comment 10 Tuomo Soini 2012-09-28 12:31:05 UTC 
I especially did not include possibility for that in my patch. If that is wanted I'd add boolean for it.
Comment 11 Daniel Walsh 2012-09-28 15:36:12 UTC 
No we can allow it.

I have added a fix for F18.
Comment 14 errata-xmlrpc 2013-02-21 08:24:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html