Description of problem: I get the following selinux denial (also on other files) since upgrading to Fedora 27. Clearly, the dovecot selinux rules have to be extended with the new "map" access. SELinux is preventing imap from map access on the file /home/sjoerd/Maildir/dovecot.index.cache. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that imap should be allowed map access on the dovecot.index.cache file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'imap' --raw | audit2allow -M my-imap # semodule -X 300 -i my-imap.pp Additional Information: Source Context system_u:system_r:dovecot_t:s0 Target Context system_u:object_r:mail_home_rw_t:s0 Target Objects /home/sjoerd/Maildir/dovecot.index.cache [ file ] Source imap Source Path imap Port <Unknown> Host spreeuw.mullender.nl Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name spreeuw.mullender.nl Platform Linux spreeuw.mullender.nl 4.13.11-300.fc27.x86_64 #1 SMP Thu Nov 2 18:20:29 UTC 2017 x86_64 x86_64 Alert Count 322 First Seen 2017-11-14 20:12:39 CET Last Seen 2017-11-14 20:20:34 CET Local ID 1a7398fd-fc19-4f5c-970a-e2e2c54b7f05 Raw Audit Messages type=AVC msg=audit(1510687234.195:2797): avc: denied { map } for pid=2163 comm="imap" path="/home/sjoerd/Maildir/dovecot.index.cache" dev="sdb1" ino=4743200 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file permissive=0 Hash: imap,dovecot_t,mail_home_rw_t,file,map Version-Release number of selected component (if applicable): dovecot-2.2.32-2.fc27.x86_64 How reproducible: 100% Steps to Reproduce: 1.install and configure dovecot using ~/Maildir as mail store 2.I let postfix deliver using dovecot-lda. This may or may not be relevant. 3. Actual results: See above Expected results: No denials Additional info: I relabeled the system after the upgrade from Fedora 26.
I get the same issue. I'm not using postifx, but rather offlineimap to store the mails in ~/Maildir. It's quite annoying because setroubleshoot will fill the logs and raise the cpu usage quite a lot (I had to remove setroubleshoot-server)
Yes, there appear to be TWO missing policies... allow dovecot_t mail_home_rw_t:file map; allow dovecot_deliver_t mail_home_rw_t:file map; ... the second applies to dovecot-lda
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
*** Bug 1516521 has been marked as a duplicate of this bug. ***
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
Works for dovecot_t, but not for dovecot_deliver_t Should I log a separate bug?
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.13.1-283.17.fc27 installed but I still have the bug.
Scott: seb: yes, please file separate bugs for any remaining denials. Thanks!
I've filed bug 1531911 for the dovecot-lda denials as requested.