Bug 983217
| Summary: | SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user's home directory | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Orion Poplawski <orion> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.4 | CC: | dwalsh, mmalik, mtruneck, orion | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-230.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1005246 (view as bug list) | Environment: | ||
| Last Closed: | 2013-11-21 10:32:25 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1005246 | |||
With dontaudit disabled, I'm also seeing the following:
type=AVC msg=audit(1373478897.604:200700): avc: denied { search } for pid=23886 comm="mkhomedir" name="files" dev=dm-0 ino=2768 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1373478897.604:200701): avc: denied { read } for pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.604:200701): avc: denied { open } for pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.604:200702): avc: denied { getattr } for pid=23886 comm="mkhomedir" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.705:200703): avc: denied { read write } for pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1373478897.705:200703): avc: denied { open } for pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1373478897.706:200704): avc: denied { check_context } for pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
type=AVC msg=audit(1373478897.706:200705): avc: denied { setfscreate } for pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
which appear to be mkhomedir looking up the proper contexts to use.
This is what I ended up with:
module dovecot_mkhomedir 1.0;
require {
type home_root_t;
type system_dbusd_var_run_t;
type security_t;
type user_home_dir_t;
type dovecot_auth_t;
type user_home_t;
type system_dbusd_t;
type selinux_config_t;
type procmail_home_t;
type oddjob_mkhomedir_exec_t;
type default_context_t;
type file_context_t;
type oddjob_t;
class fifo_file { read write getattr };
class process { siginh sigchld noatsecure setfscreate transition rlimitinh };
class unix_stream_socket connectto;
class dbus send_msg;
class capability { fowner fsetid };
class file { write getattr entrypoint setattr read create open };
class sock_file write;
class security check_context;
class dir { search setattr create write getattr add_name };
}
#============= dovecot_auth_t ==============
allow dovecot_auth_t default_context_t:dir search;
allow dovecot_auth_t file_context_t:dir search;
allow dovecot_auth_t file_context_t:file { read getattr open };
#!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following types:
# pcscd_var_run_t, postfix_private_t, dovecot_var_run_t, tmp_t, dovecot_auth_tmp_t
allow dovecot_auth_t home_root_t:dir { write search getattr add_name };
allow dovecot_auth_t oddjob_mkhomedir_exec_t:file entrypoint;
allow dovecot_auth_t oddjob_t:dbus send_msg;
allow dovecot_auth_t oddjob_t:fifo_file { read write getattr };
allow dovecot_auth_t oddjob_t:process sigchld;
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# pcscd_var_run_t, dovecot_auth_tmp_t
allow dovecot_auth_t procmail_home_t:file { write create open setattr };
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# faillog_t, initrc_var_run_t, pcscd_var_run_t, dovecot_auth_tmp_t
allow dovecot_auth_t security_t:file { read write open };
allow dovecot_auth_t security_t:security check_context;
allow dovecot_auth_t self:capability { fowner fsetid };
allow dovecot_auth_t self:process setfscreate;
allow dovecot_auth_t selinux_config_t:dir search;
allow dovecot_auth_t selinux_config_t:file { read getattr open };
allow dovecot_auth_t system_dbusd_t:dbus send_msg;
allow dovecot_auth_t system_dbusd_t:unix_stream_socket connectto;
allow dovecot_auth_t system_dbusd_var_run_t:dir search;
allow dovecot_auth_t system_dbusd_var_run_t:sock_file write;
#!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following type:
# dovecot_auth_tmp_t
allow dovecot_auth_t user_home_dir_t:dir { write search setattr create getattr add_name };
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# pcscd_var_run_t, dovecot_auth_tmp_t
allow dovecot_auth_t user_home_t:file { write create open setattr };
#============= oddjob_t ==============
allow oddjob_t dovecot_auth_t:dbus send_msg;
allow oddjob_t dovecot_auth_t:process { siginh rlimitinh transition noatsecure };
Would the following have does it all for you? optional_policy(` dbus_system_bus_client(dovecot_auth_t) optional_policy(` oddjob_dbus_chat(dovecot_auth_t) oddjob_domtrans_mkhomedir(dovecot_auth_t) ') ') That seems likely. How could I test it out? policy_module(mydovecot, 1.0) gen_require(` type dovecot_auth_t; ') optional_policy(` dbus_system_bus_client(dovecot_auth_t) optional_policy(` oddjob_dbus_chat(dovecot_auth_t) oddjob_domtrans_mkhomedir(dovecot_auth_t) ') ') Create a mydovecot.te file that looks like this. make -f /usr/share/selinux/devel/Makefile mydovecot.pp semodule -i mydovecot.pp Should do the trick. Would need to remove your custom policy to make sure it works. I checked in code like this in Fedora. Sorry for the delay. I still needed to allow:
type=AVC msg=audit(1374524030.963:126478): avc: denied { search } for pid=16235 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
for dovecot to check if the home directory existed or not before creating it. Otherwise it fails to create it.
Also, I still get:
type=AVC msg=audit(1374524303.673:126581): avc: denied { getattr } for pid=16235 comm="auth" path="/home/milliff" dev=dm-2 ino=2490370 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
as users log in and dovecot checks out their home directory, although I don't know if this causes any problems or not. It doesn't appear to.
f2909eace947c015a0a9a6dc2d29cbdebc6695af adds this to git. With 3.7.19-210.el6 I still see:
type=AVC msg=audit(1375906813.610:434833): avc: denied { search } for pid=30211 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
and:
type=AVC msg=audit(1375906876.518:434847): avc: denied { write } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key
type=AVC msg=audit(1375906876.519:434848): avc: denied { search } for pid=31655 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1375906876.520:434850): avc: denied { write } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key
type=AVC msg=audit(1375906876.520:434850): avc: denied { setattr } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key
and the home directory is not created.
Note also a but in the selinux-policy-targeted %post script:
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav2>/dev/null
Need a space before the 2.
Does it work with a local policy from these AVC msgs? Fixing spec file problem. Thank you for testing. I was using this and it was working:
policy_module(mydovecot, 1.0)
gen_require(`
type dovecot_auth_t;
type user_home_dir_t;
type home_root_t;
class dir { search getattr };
')
optional_policy(`
dbus_system_bus_client(dovecot_auth_t)
optional_policy(`
oddjob_dbus_chat(dovecot_auth_t)
oddjob_domtrans_mkhomedir(dovecot_auth_t)
')
')
allow dovecot_auth_t home_root_t:dir { search };
allow dovecot_auth_t user_home_dir_t:dir { getattr };
With -211 I see:
type=AVC msg=audit(1376065073.994:510880): avc: denied { search } for pid=11371 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
and it fails.
And are you getting more AVC in permissive mode? With -213 in permissive:
type=AVC msg=audit(1377711892.246:38895855): avc: denied { search } for pid=16815 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1377711892.246:38895855): avc: denied { write } for pid=16815 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1377711892.246:38895855): avc: denied { connectto } for pid=16815 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1377711892.259:38895856): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=16815 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1377711892.266:38895857): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=16815 tpid=5564 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1377711892.331:38895858): avc: denied { transition } for pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc: denied { entrypoint } for pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file
type=AVC msg=audit(1377711892.331:38895858): avc: denied { read } for pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.331:38895858): avc: denied { write } for pid=24820 comm="mkhomedir" path="pipe:[61970951]" dev=pipefs ino=61970951 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.331:38895858): avc: denied { rlimitinh } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc: denied { siginh } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc: denied { noatsecure } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.344:38895859): avc: denied { getattr } for pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.456:38895860): avc: denied { write } for pid=24820 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1377711892.456:38895860): avc: denied { add_name } for pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1377711892.456:38895860): avc: denied { create } for pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.471:38895861): avc: denied { setattr } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc: denied { search } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc: denied { write } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc: denied { add_name } for pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc: denied { create } for pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895862): avc: denied { write open } for pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895863): avc: denied { setattr } for pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895864): avc: denied { fowner } for pid=24820 comm="mkhomedir" capability=3 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1377711892.478:38895864): avc: denied { fsetid } for pid=24820 comm="mkhomedir" capability=4 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1377711892.479:38895865): avc: denied { create } for pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.479:38895865): avc: denied { write open } for pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.479:38895866): avc: denied { setattr } for pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.481:38895867): avc: denied { sigchld } for pid=5565 comm="oddjobd" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process
type=USER_AVC msg=audit(1377711893.486:38895873): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.170 spid=5564 tpid=16815 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
dovecot 1.11.1
What is path to mkhomedir in your case + labeling? -rwxr-xr-x. root root system_u:object_r:oddjob_mkhomedir_exec_t:s0 /usr/libexec/oddjob/mkhomedir It seems as if the transition that should be specified by: oddjob_domtrans_mkhomedir(dovecot_auth_t) isn't happening? Yes, for a reason.
type=AVC msg=audit(1377711892.479:38895865): avc: denied { create } for pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |
Description of problem: I need to be able to create a user's home directory when they log into dovecot. I've enabled pam_oddjob_mkhomedir and configured dovedot to initialize a PAM session. However in enforcing mode dovecot fails to create the home directory and I get the following avc: type=AVC msg=audit(1373476838.413:199907): avc: denied { search } for pid=20976 comm="auth" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir which seems to be the dovecot auth command (perhaps running pam_oddjob_mkhomedir.so code) trying to check and see if the home directory exists. In permissive mode, I get the following denials: type=AVC msg=audit(1373476863.232:199921): avc: denied { search } for pid=20976 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir type=AVC msg=audit(1373476863.232:199921): avc: denied { write } for pid=20976 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1373476863.232:199921): avc: denied { connectto } for pid=20976 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=USER_AVC msg=audit(1373476863.243:199922): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=20976 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1373476863.245:199923): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=20976 tpid=11356 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1373476863.253:199924): avc: denied { transition } for pid=21313 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1373476863.253:199924): avc: denied { entrypoint } for pid=21313 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file type=AVC msg=audit(1373476863.253:199924): avc: denied { read } for pid=21313 comm="mkhomedir" path="pipe:[14448611]" dev=pipefs ino=14448611 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1373476863.253:199924): avc: denied { write } for pid=21313 comm="mkhomedir" path="pipe:[14448612]" dev=pipefs ino=14448612 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1373476863.253:199924): avc: denied { rlimitinh } for pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1373476863.253:199924): avc: denied { siginh } for pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1373476863.253:199924): avc: denied { noatsecure } for pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1373476863.260:199925): avc: denied { getattr } for pid=21313 comm="mkhomedir" path="pipe:[14448611]" dev=pipefs ino=14448611 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1373476863.262:199926): avc: denied { search } for pid=21313 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373476863.263:199927): avc: denied { getattr } for pid=21313 comm="mkhomedir" path="/home" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373476863.372:199928): avc: denied { write } for pid=21313 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373476863.372:199928): avc: denied { add_name } for pid=21313 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373476863.372:199928): avc: denied { create } for pid=21313 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.372:199929): avc: denied { setattr } for pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.384:199930): avc: denied { search } for pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.384:199930): avc: denied { write } for pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.384:199930): avc: denied { add_name } for pid=21313 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.384:199930): avc: denied { create } for pid=21313 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1373476863.384:199930): avc: denied { write open } for pid=21313 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1572866 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1373476863.385:199931): avc: denied { setattr } for pid=21313 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1572866 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1373476863.385:199932): avc: denied { fowner } for pid=21313 comm="mkhomedir" capability=3 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1373476863.385:199932): avc: denied { fsetid } for pid=21313 comm="mkhomedir" capability=4 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1373476863.385:199933): avc: denied { create } for pid=21313 comm="mkhomedir" name=".procmailrc" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1373476863.385:199933): avc: denied { write open } for pid=21313 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1572868 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1373476863.386:199934): avc: denied { setattr } for pid=21313 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1572868 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1373476863.388:199935): avc: denied { sigchld } for pid=11357 comm="oddjobd" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process type=USER_AVC msg=audit(1373476864.392:199936): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.55 spid=11356 tpid=20976 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' I'm kind of surprised that everything runs under the dovecot_auth_t context. I've tried created a policy module for now, but it doesn't appear to be allowing it to label the newly created directory properly. Seeing: type=AVC msg=audit(1373477740.405:200297): avc: denied { create } for pid=22682 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373478197.547:200432): avc: denied { setattr } for pid=23183 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373478435.653:200501): avc: denied { create } for pid=23455 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1373478435.687:200504): avc: denied { write } for pid=23456 comm="imap" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373478435.688:200505): avc: denied { write } for pid=23456 comm="imap" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir I'm also seeing periodic messages like: type=AVC msg=audit(1373478241.874:200455): avc: denied { getattr } for pid=23169 comm="auth" path="/home/schuck" dev=dm-2 ino=262147 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir in normal operation with this configuration. Looks like the pam session checks the home directory now. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-195.el6_4.12.noarch