Bug 983217
Summary: | SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user's home directory | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Orion Poplawski <orion> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.4 | CC: | dwalsh, mmalik, mtruneck, orion | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.7.19-230.el6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1005246 (view as bug list) | Environment: | ||
Last Closed: | 2013-11-21 10:32:25 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1005246 |
Description
Orion Poplawski
2013-07-10 17:50:50 UTC
With dontaudit disabled, I'm also seeing the following: type=AVC msg=audit(1373478897.604:200700): avc: denied { search } for pid=23886 comm="mkhomedir" name="files" dev=dm-0 ino=2768 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir type=AVC msg=audit(1373478897.604:200701): avc: denied { read } for pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1373478897.604:200701): avc: denied { open } for pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1373478897.604:200702): avc: denied { getattr } for pid=23886 comm="mkhomedir" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1373478897.705:200703): avc: denied { read write } for pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1373478897.705:200703): avc: denied { open } for pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1373478897.706:200704): avc: denied { check_context } for pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security type=AVC msg=audit(1373478897.706:200705): avc: denied { setfscreate } for pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process which appear to be mkhomedir looking up the proper contexts to use. This is what I ended up with: module dovecot_mkhomedir 1.0; require { type home_root_t; type system_dbusd_var_run_t; type security_t; type user_home_dir_t; type dovecot_auth_t; type user_home_t; type system_dbusd_t; type selinux_config_t; type procmail_home_t; type oddjob_mkhomedir_exec_t; type default_context_t; type file_context_t; type oddjob_t; class fifo_file { read write getattr }; class process { siginh sigchld noatsecure setfscreate transition rlimitinh }; class unix_stream_socket connectto; class dbus send_msg; class capability { fowner fsetid }; class file { write getattr entrypoint setattr read create open }; class sock_file write; class security check_context; class dir { search setattr create write getattr add_name }; } #============= dovecot_auth_t ============== allow dovecot_auth_t default_context_t:dir search; allow dovecot_auth_t file_context_t:dir search; allow dovecot_auth_t file_context_t:file { read getattr open }; #!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following types: # pcscd_var_run_t, postfix_private_t, dovecot_var_run_t, tmp_t, dovecot_auth_tmp_t allow dovecot_auth_t home_root_t:dir { write search getattr add_name }; allow dovecot_auth_t oddjob_mkhomedir_exec_t:file entrypoint; allow dovecot_auth_t oddjob_t:dbus send_msg; allow dovecot_auth_t oddjob_t:fifo_file { read write getattr }; allow dovecot_auth_t oddjob_t:process sigchld; #!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types: # pcscd_var_run_t, dovecot_auth_tmp_t allow dovecot_auth_t procmail_home_t:file { write create open setattr }; #!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types: # faillog_t, initrc_var_run_t, pcscd_var_run_t, dovecot_auth_tmp_t allow dovecot_auth_t security_t:file { read write open }; allow dovecot_auth_t security_t:security check_context; allow dovecot_auth_t self:capability { fowner fsetid }; allow dovecot_auth_t self:process setfscreate; allow dovecot_auth_t selinux_config_t:dir search; allow dovecot_auth_t selinux_config_t:file { read getattr open }; allow dovecot_auth_t system_dbusd_t:dbus send_msg; allow dovecot_auth_t system_dbusd_t:unix_stream_socket connectto; allow dovecot_auth_t system_dbusd_var_run_t:dir search; allow dovecot_auth_t system_dbusd_var_run_t:sock_file write; #!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following type: # dovecot_auth_tmp_t allow dovecot_auth_t user_home_dir_t:dir { write search setattr create getattr add_name }; #!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types: # pcscd_var_run_t, dovecot_auth_tmp_t allow dovecot_auth_t user_home_t:file { write create open setattr }; #============= oddjob_t ============== allow oddjob_t dovecot_auth_t:dbus send_msg; allow oddjob_t dovecot_auth_t:process { siginh rlimitinh transition noatsecure }; Would the following have does it all for you? optional_policy(` dbus_system_bus_client(dovecot_auth_t) optional_policy(` oddjob_dbus_chat(dovecot_auth_t) oddjob_domtrans_mkhomedir(dovecot_auth_t) ') ') That seems likely. How could I test it out? policy_module(mydovecot, 1.0) gen_require(` type dovecot_auth_t; ') optional_policy(` dbus_system_bus_client(dovecot_auth_t) optional_policy(` oddjob_dbus_chat(dovecot_auth_t) oddjob_domtrans_mkhomedir(dovecot_auth_t) ') ') Create a mydovecot.te file that looks like this. make -f /usr/share/selinux/devel/Makefile mydovecot.pp semodule -i mydovecot.pp Should do the trick. Would need to remove your custom policy to make sure it works. I checked in code like this in Fedora. Sorry for the delay. I still needed to allow: type=AVC msg=audit(1374524030.963:126478): avc: denied { search } for pid=16235 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir for dovecot to check if the home directory existed or not before creating it. Otherwise it fails to create it. Also, I still get: type=AVC msg=audit(1374524303.673:126581): avc: denied { getattr } for pid=16235 comm="auth" path="/home/milliff" dev=dm-2 ino=2490370 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir as users log in and dovecot checks out their home directory, although I don't know if this causes any problems or not. It doesn't appear to. f2909eace947c015a0a9a6dc2d29cbdebc6695af adds this to git. With 3.7.19-210.el6 I still see: type=AVC msg=audit(1375906813.610:434833): avc: denied { search } for pid=30211 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir and: type=AVC msg=audit(1375906876.518:434847): avc: denied { write } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key type=AVC msg=audit(1375906876.519:434848): avc: denied { search } for pid=31655 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1375906876.520:434850): avc: denied { write } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key type=AVC msg=audit(1375906876.520:434850): avc: denied { setattr } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key and the home directory is not created. Note also a but in the selinux-policy-targeted %post script: semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav2>/dev/null Need a space before the 2. Does it work with a local policy from these AVC msgs? Fixing spec file problem. Thank you for testing. I was using this and it was working: policy_module(mydovecot, 1.0) gen_require(` type dovecot_auth_t; type user_home_dir_t; type home_root_t; class dir { search getattr }; ') optional_policy(` dbus_system_bus_client(dovecot_auth_t) optional_policy(` oddjob_dbus_chat(dovecot_auth_t) oddjob_domtrans_mkhomedir(dovecot_auth_t) ') ') allow dovecot_auth_t home_root_t:dir { search }; allow dovecot_auth_t user_home_dir_t:dir { getattr }; With -211 I see: type=AVC msg=audit(1376065073.994:510880): avc: denied { search } for pid=11371 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir and it fails. And are you getting more AVC in permissive mode? With -213 in permissive: type=AVC msg=audit(1377711892.246:38895855): avc: denied { search } for pid=16815 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir type=AVC msg=audit(1377711892.246:38895855): avc: denied { write } for pid=16815 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1377711892.246:38895855): avc: denied { connectto } for pid=16815 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=USER_AVC msg=audit(1377711892.259:38895856): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=16815 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1377711892.266:38895857): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=16815 tpid=5564 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1377711892.331:38895858): avc: denied { transition } for pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1377711892.331:38895858): avc: denied { entrypoint } for pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file type=AVC msg=audit(1377711892.331:38895858): avc: denied { read } for pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1377711892.331:38895858): avc: denied { write } for pid=24820 comm="mkhomedir" path="pipe:[61970951]" dev=pipefs ino=61970951 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1377711892.331:38895858): avc: denied { rlimitinh } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1377711892.331:38895858): avc: denied { siginh } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1377711892.331:38895858): avc: denied { noatsecure } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1377711892.344:38895859): avc: denied { getattr } for pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1377711892.456:38895860): avc: denied { write } for pid=24820 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1377711892.456:38895860): avc: denied { add_name } for pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1377711892.456:38895860): avc: denied { create } for pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.471:38895861): avc: denied { setattr } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.478:38895862): avc: denied { search } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.478:38895862): avc: denied { write } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.478:38895862): avc: denied { add_name } for pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.478:38895862): avc: denied { create } for pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1377711892.478:38895862): avc: denied { write open } for pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1377711892.478:38895863): avc: denied { setattr } for pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1377711892.478:38895864): avc: denied { fowner } for pid=24820 comm="mkhomedir" capability=3 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1377711892.478:38895864): avc: denied { fsetid } for pid=24820 comm="mkhomedir" capability=4 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1377711892.479:38895865): avc: denied { create } for pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1377711892.479:38895865): avc: denied { write open } for pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1377711892.479:38895866): avc: denied { setattr } for pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1377711892.481:38895867): avc: denied { sigchld } for pid=5565 comm="oddjobd" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process type=USER_AVC msg=audit(1377711893.486:38895873): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.170 spid=5564 tpid=16815 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' dovecot 1.11.1 What is path to mkhomedir in your case + labeling? -rwxr-xr-x. root root system_u:object_r:oddjob_mkhomedir_exec_t:s0 /usr/libexec/oddjob/mkhomedir It seems as if the transition that should be specified by: oddjob_domtrans_mkhomedir(dovecot_auth_t) isn't happening? Yes, for a reason. type=AVC msg=audit(1377711892.479:38895865): avc: denied { create } for pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |