Bug 1513153 - dovecot not allowed to use mmap
Summary: dovecot not allowed to use mmap
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1516521 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-14 20:18 UTC by Sjoerd Mullender
Modified: 2018-01-06 16:42 UTC (History)
20 users (show)

Fixed In Version: selinux-policy-3.13.1-283.17.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-28 23:53:29 UTC
Type: Bug


Attachments (Terms of Use)

Description Sjoerd Mullender 2017-11-14 20:18:38 UTC
Description of problem:
I get the following selinux denial (also on other files) since upgrading to Fedora 27.  Clearly, the dovecot selinux rules have to be extended with the new "map" access.

SELinux is preventing imap from map access on the file /home/sjoerd/Maildir/dovecot.index.cache.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that imap should be allowed map access on the dovecot.index.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'imap' --raw | audit2allow -M my-imap
# semodule -X 300 -i my-imap.pp


Additional Information:
Source Context                system_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:mail_home_rw_t:s0
Target Objects                /home/sjoerd/Maildir/dovecot.index.cache [ file ]
Source                        imap
Source Path                   imap
Port                          <Unknown>
Host                          spreeuw.mullender.nl
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     spreeuw.mullender.nl
Platform                      Linux spreeuw.mullender.nl 4.13.11-300.fc27.x86_64
                              #1 SMP Thu Nov 2 18:20:29 UTC 2017 x86_64 x86_64
Alert Count                   322
First Seen                    2017-11-14 20:12:39 CET
Last Seen                     2017-11-14 20:20:34 CET
Local ID                      1a7398fd-fc19-4f5c-970a-e2e2c54b7f05

Raw Audit Messages
type=AVC msg=audit(1510687234.195:2797): avc:  denied  { map } for  pid=2163 comm="imap" path="/home/sjoerd/Maildir/dovecot.index.cache" dev="sdb1" ino=4743200 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file permissive=0


Hash: imap,dovecot_t,mail_home_rw_t,file,map



Version-Release number of selected component (if applicable):
dovecot-2.2.32-2.fc27.x86_64

How reproducible:
100%

Steps to Reproduce:
1.install and configure dovecot using ~/Maildir as mail store
2.I let postfix deliver using dovecot-lda.  This may or may not be relevant.
3.

Actual results:
See above

Expected results:
No denials

Additional info:
I relabeled the system after the upgrade from Fedora 26.

Comment 1 Pierguido Lambri 2017-11-16 11:13:00 UTC
I get the same issue.
I'm not using postifx, but rather offlineimap to store the mails in ~/Maildir.
It's quite annoying because setroubleshoot will fill the logs and raise the cpu usage quite a lot (I had to remove setroubleshoot-server)

Comment 2 Scott Shambarger 2017-11-19 00:32:31 UTC
Yes, there appear to be TWO missing policies...

allow dovecot_t mail_home_rw_t:file map;
allow dovecot_deliver_t mail_home_rw_t:file map;

... the second applies to dovecot-lda

Comment 3 Fedora Update System 2017-11-22 08:54:42 UTC
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 4 Adam Williamson 2017-11-22 20:18:57 UTC
*** Bug 1516521 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2017-11-22 21:41:02 UTC
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 6 Scott Shambarger 2017-11-23 00:48:48 UTC
Works for dovecot_t, but not for dovecot_deliver_t

Should I log a separate bug?

Comment 7 Fedora Update System 2017-11-28 23:53:29 UTC
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 seb 2017-12-17 16:19:56 UTC
selinux-policy-3.13.1-283.17.fc27 installed but I still have the bug.

Comment 9 Adam Williamson 2017-12-18 18:48:32 UTC
Scott: seb: yes, please file separate bugs for any remaining denials. Thanks!

Comment 10 Scott Shambarger 2018-01-06 16:42:09 UTC
I've filed bug 1531911 for the dovecot-lda denials as requested.


Note You need to log in before you can comment on or make changes to this bug.