Description of problem: selinux is preventing doveadm to be ran with procmail. Version-Release number of selected component (if applicable): libselinux-python-2.1.13-15.fc19.x86_64 libselinux-2.1.13-15.fc19.x86_64 libselinux-2.1.13-15.fc19.i686 selinux-policy-3.12.1-74.11.fc19.noarch dovecot-2.2.6-1.fc19.x86_64 libselinux-utils-2.1.13-15.fc19.x86_64 procmail-3.22-32.fc19.x86_64 selinux-policy-targeted-3.12.1-74.11.fc19.noarch How reproducible: Always Steps to Reproduce: 1. configure /home/fred/.procmailrc for user fred with the following example: :0 | doveadm expunge -u fred mailbox Trash savedbefore 1d Actual results: Interestingly, selinux notifications are only generated when selinux is set to Permissive. The following selinux alerts are generated: SELinux is preventing /usr/bin/doveadm from getattr access on the file /etc/dovecot/dovecot.conf. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that doveadm should be allowed getattr access on the dovecot.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep doveadm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:dovecot_etc_t:s0 Target Objects /etc/dovecot/dovecot.conf [ file ] Source doveadm Source Path /usr/bin/doveadm Port <Unknown> Host f19 Source RPM Packages dovecot-2.2.6-1.fc19.x86_64 Target RPM Packages dovecot-2.2.6-1.fc19.x86_64 Policy RPM selinux-policy-3.12.1-74.11.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name f19 Platform Linux f19 3.11.6-200.fc19.x86_64 #1 SMP Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64 Alert Count 6 First Seen 2013-11-04 20:02:26 GMT Last Seen 2013-11-05 13:58:17 GMT Local ID 54c4c7c5-9002-406e-a5cd-d0f1ae559875 Raw Audit Messages type=AVC msg=audit(1383659897.894:31753): avc: denied { getattr } for pid=8979 comm="doveadm" path="/etc/dovecot/dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file type=SYSCALL msg=audit(1383659897.894:31753): arch=x86_64 syscall=stat success=yes exit=0 a0=7f1a841889f0 a1=7fff68f05310 a2=7fff68f05310 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveadm exe=/usr/bin/doveadm subj=system_u:system_r:procmail_t:s0 key=(null) Hash: doveadm,procmail_t,dovecot_etc_t,file,getattr SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that doveconf should be allowed read access on the dovecot.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep doveconf /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:dovecot_etc_t:s0 Target Objects /etc/dovecot/dovecot.conf [ file ] Source doveconf Source Path /usr/bin/doveconf Port <Unknown> Host f19 Source RPM Packages dovecot-2.2.6-1.fc19.x86_64 Target RPM Packages dovecot-2.2.6-1.fc19.x86_64 Policy RPM selinux-policy-3.12.1-74.11.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name f19 Platform Linux f19 3.11.6-200.fc19.x86_64 #1 SMP Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64 Alert Count 6 First Seen 2013-11-04 20:02:26 GMT Last Seen 2013-11-05 13:58:17 GMT Local ID 0a08af9c-4bf7-4335-be5a-d2efe6dfe037 Raw Audit Messages type=AVC msg=audit(1383659897.895:31754): avc: denied { read } for pid=8979 comm="doveconf" name="dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file type=AVC msg=audit(1383659897.895:31754): avc: denied { open } for pid=8979 comm="doveconf" path="/etc/dovecot/dovecot.conf" dev="md3" ino=2260 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file type=SYSCALL msg=audit(1383659897.895:31754): arch=x86_64 syscall=open success=yes exit=ENXIO a0=7f765f11b850 a1=0 a2=7f765f113080 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null) Hash: doveconf,procmail_t,dovecot_etc_t,file,read SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that doveconf should be allowed read access on the conf.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep doveconf /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:dovecot_etc_t:s0 Target Objects /etc/dovecot/conf.d [ dir ] Source doveconf Source Path /usr/bin/doveconf Port <Unknown> Host f19 Source RPM Packages dovecot-2.2.6-1.fc19.x86_64 Target RPM Packages dovecot-2.2.6-1.fc19.x86_64 Policy RPM selinux-policy-3.12.1-74.11.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name f19 Platform Linux f19 3.11.6-200.fc19.x86_64 #1 SMP Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64 Alert Count 6 First Seen 2013-11-04 20:02:26 GMT Last Seen 2013-11-05 13:58:17 GMT Local ID d0d14259-d9fb-48e5-bde3-9ee408cd3971 Raw Audit Messages type=AVC msg=audit(1383659897.895:31755): avc: denied { read } for pid=8979 comm="doveconf" name="conf.d" dev="md3" ino=2738 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1383659897.895:31755): arch=x86_64 syscall=openat success=yes exit=E2BIG a0=ffffffffffffff9c a1=7ffffc01d480 a2=90800 a3=0 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null) Hash: doveconf,procmail_t,dovecot_etc_t,dir,read SELinux is preventing /usr/bin/doveadm from write access on the sock_file auth-userdb. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that doveadm should be allowed write access on the auth-userdb sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep doveadm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:dovecot_var_run_t:s0 Target Objects auth-userdb [ sock_file ] Source doveadm Source Path /usr/bin/doveadm Port <Unknown> Host f19 Source RPM Packages dovecot-2.2.6-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.11.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name f19 Platform Linux f19 3.11.6-200.fc19.x86_64 #1 SMP Fri Oct 18 22:34:18 UTC 2013 x86_64 x86_64 Alert Count 6 First Seen 2013-11-04 20:02:26 GMT Last Seen 2013-11-05 13:58:17 GMT Local ID ed68f348-116f-42a4-9991-643b24140186 Raw Audit Messages type=AVC msg=audit(1383659897.908:31756): avc: denied { write } for pid=8979 comm="doveadm" name="auth-userdb" dev="tmpfs" ino=28773 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1383659897.908:31756): avc: denied { connectto } for pid=8979 comm="doveadm" path="/run/dovecot/auth-userdb" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1383659897.908:31756): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7fff453a0ed0 a2=6e a3=1 items=0 ppid=1 pid=8979 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveadm exe=/usr/bin/doveadm subj=system_u:system_r:procmail_t:s0 key=(null) Hash: doveadm,procmail_t,dovecot_var_run_t,sock_file,write Expected results: doveadm to be called via procmailrc without any sealerts. Additional info: Thank you
67495866261f40c83ffa292eae51e1f9f0e22879 fixes this in git.
Hello, I have updated selinux to: rpm -qa|grep selinux libselinux-python-2.1.13-15.fc19.x86_64 selinux-policy-3.12.1-74.16.fc19.noarch selinux-policy-targeted-3.12.1-74.16.fc19.noarch libselinux-2.1.13-15.fc19.x86_64 libselinux-2.1.13-15.fc19.i686 libselinux-utils-2.1.13-15.fc19.x86_64 The changelog in selinux-policy mentions: - Allow procmail_t to connect to dovecot stream sockets From my initial comments above, SELinux is still reporting the the following (same as above): Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveadm from getattr access on the file /etc/dovecot/dovecot.conf. Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. Dec 29 12:50:04 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the file /etc/dovecot/dovecot.conf. Dec 29 12:50:05 f19 setroubleshoot: SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d. The only exception from my initial comments, is SELinux no longer reports: SELinux is preventing /usr/bin/doveadm from write access on the sock_file auth-userdb. Kind Regards.
Hi, any progress with this one? Thanks
There's a similar issue with Dovecot's dovecot-lda. This is the recommended method for using procmail to deliver mail to Dovecot Maildirs, in order to update indexes and message flags correctly. See http://wiki2.dovecot.org/procmail This causes AVC denials. audit2allow: #============= procmail_t ============== allow procmail_t dovecot_deliver_exec_t:file { read open }; allow procmail_t dovecot_etc_t:dir read; allow procmail_t dovecot_etc_t:file { read getattr open }; audit2allow -R: require { type dovecot_etc_t; type procmail_t; class file { read getattr open }; class dir read; } #============= procmail_t ============== allow procmail_t dovecot_etc_t:dir read; allow procmail_t dovecot_etc_t:file { read getattr open }; mta_mailserver_delivery(procmail_t)
e265e07f056bd749658f1fe8951ab59cccad0a95 fixes this in git.
back ported.
selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.19.fc19
Package selinux-policy-3.12.1-74.19.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3030/selinux-policy-3.12.1-74.19.fc19 then log in and leave karma (feedback).
Hi, I have updated selinux-policy. > rpm -q selinux-policy selinux-policy-3.12.1-74.19.fc19.noarch It would appear procmail requires access to the dovecot config files: /etc/dovecot/dovecot.conf /etc/dovecot/conf.d /etc/dovecot/conf.d/* Example: SELinux is preventing /usr/bin/doveconf from read access on the directory /etc/dovecot/conf.d. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that doveconf should be allowed read access on the conf.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep doveconf /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:dovecot_etc_t:s0 Target Objects /etc/dovecot/conf.d [ dir ] Source doveconf Source Path /usr/bin/doveconf Port <Unknown> Host f19 Source RPM Packages dovecot-2.2.10-1.fc19.x86_64 Target RPM Packages dovecot-2.2.10-1.fc19.x86_64 Policy RPM selinux-policy-3.12.1-74.19.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f19 Platform Linux f19 3.12.11-201.fc19.x86_64 #1 SMP Fri Feb 14 19:08:33 UTC 2014 x86_64 x86_64 Alert Count 9 First Seen 2014-03-14 07:19:27 GMT Last Seen 2014-03-15 09:01:10 GMT Local ID 241029c0-4788-4980-93d1-c8634a0fc6af Raw Audit Messages type=AVC msg=audit(1394874070.303:11216): avc: denied { read } for pid=23061 comm="doveconf" name="conf.d" dev="md3" ino=2738 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1394874070.303:11216): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fff561f8c90 a2=90800 a3=0 items=0 ppid=23056 pid=23061 auid=4294967295 uid=7005 gid=702 euid=7005 suid=7005 fsuid=7005 egid=702 sgid=702 fsgid=702 ses=4294967295 tty=(none) comm=doveconf exe=/usr/bin/doveconf subj=system_u:system_r:procmail_t:s0 key=(null) Hash: doveconf,procmail_t,dovecot_etc_t,dir,read Could selinux-policy be updated to accommodate this? Thanks
selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Reopened as per comment 10. Thanks
commit 2fab7cb23d316770184f8b6e714be5d82cdf0ca3 fixes this in git.
selinux-policy-3.12.1-74.23.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.23.fc19
Package selinux-policy-3.12.1-74.23.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.23.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4216/selinux-policy-3.12.1-74.23.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19
selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.