First Last Prev Next    This bug is not in your last search results.
Bug 1292249 - SELInux denies net_admin capability to dovecot auth
SELInux denies net_admin capability to dovecot auth
Status: CLOSED DUPLICATE of bug 1431859
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dovecot (Show other bugs)
7.2
All Linux
low Severity low
: rc
: ---
Assigned To: Michal Hlavinka
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-16 15:07 EST by Orion Poplawski
Modified: 2017-06-22 10:33 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-22 07:26:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Orion Poplawski 2015-12-16 15:07:24 EST 
Description of problem:

I see lots of:

type=AVC msg=audit(1450293169.317:688505): avc:  denied  { net_admin } for  pid=30585 comm="auth" capability=12  scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability

No apparent ill effects though.

Version-Release number of selected component (if applicable):
dovecot-2.2.10-5.el7.x86_64
selinux-policy-3.13.1-60.el7.noarch
Comment 2 Miroslav Grepl 2015-12-18 10:26:58 EST 
Are you getting it only for dovecot?
Comment 3 Orion Poplawski 2015-12-18 11:42:43 EST 
That's all I'm seeing it for, yes.
Comment 4 Miroslav Grepl 2016-04-28 09:05:04 EDT 
Michal,
any idea why it is needed?

       CAP_NET_ADMIN
              Perform various network-related operations:
              * interface configuration;
              * administration of IP firewall, masquerading, and accounting;
              * modify routing tables;
              * bind to any address for transparent proxying;
              * set type-of-service (TOS)
              * clear driver statistics;
              * set promiscuous mode;
              * enabling multicasting;
              * use  setsockopt(2)  to  set  the  following  socket  options:  SO_DEBUG,  SO_MARK,  SO_PRIORITY (for a priority outside the range 0 to 6),
                SO_RCVBUFFORCE, and SO_SNDBUFFORCE


Thank you.
Comment 5 Michal Hlavinka 2017-06-20 07:20:07 EDT 
I'm not aware of anything in dovecot that would require CAP_NET_ADMIN capability and did not find anything in the sources. I've asked upstream if there is need for this or not.
Comment 7 Michal Hlavinka 2017-06-22 07:26:22 EDT 
Ok, so I guess we can close this one as duplicate

*** This bug has been marked as a duplicate of bug 1431859 ***
Comment 8 Orion Poplawski 2017-06-22 10:10:21 EDT 
Unfortunately, I cannot access that bug.
Comment 9 Michal Hlavinka 2017-06-22 10:33:02 EDT 
The important thing here is that this should get fixed in rhel-7.4. Fix is ready and verified and if nothing unexpected happens, it should get released with 7.4 update.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.