Bug 1026851 - selinux with procmail and doveadm
selinux with procmail and doveadm
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-05 09:24 EST by W Agtail
Modified: 2014-06-26 22:23 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.26.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-26 22:23:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description W Agtail 2013-11-05 09:24:37 EST
Description of problem:
selinux is preventing doveadm to be ran with procmail.

Version-Release number of selected component (if applicable):
libselinux-python-2.1.13-15.fc19.x86_64
libselinux-2.1.13-15.fc19.x86_64
libselinux-2.1.13-15.fc19.i686
selinux-policy-3.12.1-74.11.fc19.noarch
dovecot-2.2.6-1.fc19.x86_64
libselinux-utils-2.1.13-15.fc19.x86_64
procmail-3.22-32.fc19.x86_64
selinux-policy-targeted-3.12.1-74.11.fc19.noarch

How reproducible:
Always

Steps to Reproduce:
1. configure /home/fred/.procmailrc for user fred with the following example:
:0
| doveadm expunge -u fred mailbox Trash savedbefore 1d

Actual results:
Interestingly, selinux notifications are only generated when selinux is set to Permissive.

The following selinux alerts are generated:
SELinux is preventing /usr/bin/doveadm from getattr access on the file /etc/dovecot/dovecot.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveadm should be allowed getattr access on the dovecot.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_etc_t:s0
Target Objects                /etc/dovecot/dovecot.conf [ file ]
Source                        doveadm
Source Path                   /usr/bin/doveadm
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Target RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f19
Platform                      Linux f19 3.11.6-200.fc19.x86_64 #1 SMP
                              Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-11-04 20:02:26 GMT
Last Seen                     2013-11-05 13:58:17 GMT
Local ID                      54c4c7c5-9002-406e-a5cd-d0f1ae559875

Raw Audit Messages
type=AVC msg=audit(1383659897.894:31753): avc:  denied  { getattr } for  pid=8979 comm="doveadm" path="/etc/dovecot/dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file


type=SYSCALL msg=audit(1383659897.894:31753): arch=x86_64 syscall=stat success=yes exit=0 a0=7f1a841889f0 a1=7fff68f05310 a2=7fff68f05310 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveadm exe=/usr/bin/doveadm subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveadm,procmail_t,dovecot_etc_t,file,getattr

SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveconf should be allowed read access on the dovecot.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveconf /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_etc_t:s0
Target Objects                /etc/dovecot/dovecot.conf [ file ]
Source                        doveconf
Source Path                   /usr/bin/doveconf
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Target RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f19
Platform                      Linux f19 3.11.6-200.fc19.x86_64 #1 SMP
                              Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-11-04 20:02:26 GMT
Last Seen                     2013-11-05 13:58:17 GMT
Local ID                      0a08af9c-4bf7-4335-be5a-d2efe6dfe037

Raw Audit Messages
type=AVC msg=audit(1383659897.895:31754): avc:  denied  { read } for  pid=8979 comm="doveconf" name="dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file


type=AVC msg=audit(1383659897.895:31754): avc:  denied  { open } for  pid=8979 comm="doveconf" path="/etc/dovecot/dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file


type=SYSCALL msg=audit(1383659897.895:31754): arch=x86_64 syscall=open success=yes exit=ENXIO a0=7f765f11b850 a1=0 a2=7f765f113080 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveconf,procmail_t,dovecot_etc_t,file,read

SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveconf should be allowed read access on the conf.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveconf /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_etc_t:s0
Target Objects                /etc/dovecot/conf.d [ dir ]
Source                        doveconf
Source Path                   /usr/bin/doveconf
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Target RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f19
Platform                      Linux f19 3.11.6-200.fc19.x86_64 #1 SMP
                              Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-11-04 20:02:26 GMT
Last Seen                     2013-11-05 13:58:17 GMT
Local ID                      d0d14259-d9fb-48e5-bde3-9ee408cd3971

Raw Audit Messages
type=AVC msg=audit(1383659897.895:31755): avc:  denied  { read } for  pid=8979 comm="doveconf" name="conf.d" dev="md3" ino=2738 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir


type=SYSCALL msg=audit(1383659897.895:31755): arch=x86_64 syscall=openat success=yes exit=E2BIG a0=ffffffffffffff9c a1=7ffffc01d480 a2=90800 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveconf,procmail_t,dovecot_etc_t,dir,read

SELinux is preventing /usr/bin/doveadm from write access on the sock_file auth-userdb.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveadm should be allowed write access on the auth-userdb sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_var_run_t:s0
Target Objects                auth-userdb [ sock_file ]
Source                        doveadm
Source Path                   /usr/bin/doveadm
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.6-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f19
Platform                      Linux f19 3.11.6-200.fc19.x86_64 #1 SMP
                              Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-11-04 20:02:26 GMT
Last Seen                     2013-11-05 13:58:17 GMT
Local ID                      ed68f348-116f-42a4-9991-643b24140186

Raw Audit Messages
type=AVC msg=audit(1383659897.908:31756): avc:  denied  { write } for  pid=8979 comm="doveadm" name="auth-userdb" dev="tmpfs" ino=28773 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_var_run_t:s0 tclass=sock_file


type=AVC msg=audit(1383659897.908:31756): avc:  denied  { connectto } for  pid=8979 comm="doveadm" path="/run/dovecot/auth-userdb" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1383659897.908:31756): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7fff453a0ed0 a2=6e a3=1 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveadm exe=/usr/bin/doveadm subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveadm,procmail_t,dovecot_var_run_t,sock_file,write



Expected results:
doveadm to be called via procmailrc without any sealerts.


Additional info:


Thank you
Comment 1 Daniel Walsh 2013-11-11 14:08:16 EST
67495866261f40c83ffa292eae51e1f9f0e22879 fixes this in git.
Comment 3 W Agtail 2013-12-29 08:30:52 EST
Hello, I have updated selinux to: rpm -qa|grep selinux
libselinux-python-2.1.13-15.fc19.x86_64
selinux-policy-3.12.1-74.16.fc19.noarch
selinux-policy-targeted-3.12.1-74.16.fc19.noarch
libselinux-2.1.13-15.fc19.x86_64
libselinux-2.1.13-15.fc19.i686
libselinux-utils-2.1.13-15.fc19.x86_64

The changelog in selinux-policy mentions:
- Allow procmail_t to connect to dovecot stream sockets

From my initial comments above, SELinux is still reporting the the following (same as above):
Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveadm from getattr access on the file /etc/dovecot/dovecot.conf. 
Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. 
Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. 
Dec 29 12:50:05 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d. 

The only exception from my initial comments, is SELinux no longer reports:
SELinux is preventing /usr/bin/doveadm from write access on the sock_file auth-userdb.

Kind Regards.
Comment 4 W Agtail 2014-02-01 15:15:05 EST
Hi, any progress with this one? Thanks
Comment 5 Alan Hamilton 2014-02-12 13:15:14 EST
There's a similar issue with Dovecot's dovecot-lda. This is the recommended method for using procmail to deliver mail to Dovecot Maildirs, in order to update indexes and message flags correctly. See http://wiki2.dovecot.org/procmail

This causes AVC denials.

audit2allow:
#============= procmail_t ==============
allow procmail_t dovecot_deliver_exec_t:file { read open };
allow procmail_t dovecot_etc_t:dir read;
allow procmail_t dovecot_etc_t:file { read getattr open };


audit2allow -R:
require {
        type dovecot_etc_t;
        type procmail_t;
        class file { read getattr open };
        class dir read;
}

#============= procmail_t ==============
allow procmail_t dovecot_etc_t:dir read;
allow procmail_t dovecot_etc_t:file { read getattr open };
mta_mailserver_delivery(procmail_t)
Comment 6 Daniel Walsh 2014-02-14 12:55:49 EST
e265e07f056bd749658f1fe8951ab59cccad0a95 fixes this in git.
Comment 7 Lukas Vrabec 2014-02-15 18:22:16 EST
back ported.
Comment 8 Fedora Update System 2014-02-24 08:16:31 EST
selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.19.fc19
Comment 9 Fedora Update System 2014-02-25 02:45:14 EST
Package selinux-policy-3.12.1-74.19.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3030/selinux-policy-3.12.1-74.19.fc19
then log in and leave karma (feedback).
Comment 10 W Agtail 2014-03-15 09:38:57 EDT
Hi, I have updated selinux-policy.

> rpm -q selinux-policy
selinux-policy-3.12.1-74.19.fc19.noarch

It would appear procmail requires access to the dovecot config files:
/etc/dovecot/dovecot.conf
/etc/dovecot/conf.d
/etc/dovecot/conf.d/*

Example:

SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that doveconf should be allowed read access on the conf.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep doveconf /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:dovecot_etc_t:s0
Target Objects                /etc/dovecot/conf.d [ dir ]
Source                        doveconf
Source Path                   /usr/bin/doveconf
Port                          <Unknown>
Host                          f19
Source RPM Packages           dovecot-2.2.10-1.fc19.x86_64
Target RPM Packages           dovecot-2.2.10-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.19.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f19
Platform                      Linux f19 3.12.11-201.fc19.x86_64 #1 SMP
                              Fri Feb 14 19:08:33 UTC 2014 x86_64 x86_64
Alert Count                   9
First Seen                    2014-03-14 07:19:27 GMT
Last Seen                     2014-03-15 09:01:10 GMT
Local ID                      241029c0-4788-4980-93d1-c8634a0fc6af

Raw Audit Messages
type=AVC msg=audit(1394874070.303:11216): avc:  denied  { read } for  pid=23061 comm="doveconf" name="conf.d" dev="md3" ino=2738 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir


type=SYSCALL msg=audit(1394874070.303:11216): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fff561f8c90 a2=90800 a3=0 items=0 ppid=23056 pid=23061 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: doveconf,procmail_t,dovecot_etc_t,dir,read

Could selinux-policy be updated to accommodate this?
Thanks
Comment 11 Fedora Update System 2014-03-15 11:22:14 EDT
selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 W Agtail 2014-03-15 12:26:32 EDT
Reopened as per comment 10. Thanks
Comment 13 Daniel Walsh 2014-03-16 16:09:30 EDT
commit 2fab7cb23d316770184f8b6e714be5d82cdf0ca3 fixes this in git.
Comment 14 Lukas Vrabec 2014-03-17 06:10:01 EDT
back ported.
Comment 15 Fedora Update System 2014-03-21 10:36:00 EDT
selinux-policy-3.12.1-74.23.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.23.fc19
Comment 16 Fedora Update System 2014-03-22 01:09:21 EDT
Package selinux-policy-3.12.1-74.23.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.23.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4216/selinux-policy-3.12.1-74.23.fc19
then log in and leave karma (feedback).
Comment 17 Fedora Update System 2014-05-07 12:25:58 EDT
selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19
Comment 18 Fedora Update System 2014-06-26 22:23:07 EDT
selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.