1531911 – selinux prevents dovecot-lda from using mmap

Bug 1531911 - selinux prevents dovecot-lda from using mmap

Summary: selinux prevents dovecot-lda from using mmap

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-06 16:41 UTC by Scott Shambarger
Modified:	2018-02-27 17:22 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-283.26.fc27
Clone Of:
Environment:
Last Closed:	2018-02-27 17:22:17 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Scott Shambarger 2018-01-06 16:41:27 UTC

This is a followup to bug 1513153...

Description of problem:

When postfix is configured to use dovecot-lda for local mail delivery, SELinux prevents dovecot-lda from using mmap preventing update of the mailbox index file.

# ausearch -m avc

type=AVC msg=audit(1515255440.839:61538): avc:  denied  { map } for  pid=32462 comm="dovecot-lda" path="/home/scott/Maildir/dovecot.index.log" dev="dm-3" ino=6454225 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file permissive=1

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-283.19.fc27.noarch
postfix-3.2.4-1.fc27.x86_64
dovecot-2.2.32-2.fc27.x86_64

How reproducible:

Always when using dovecot-lda for mailbox delivery.

Steps to Reproduce:
1. Configure postfix normally, but specifically with the following in main.cf:
 mailbox_command = /usr/libexec/dovecot/dovecot-lda
 home_mailbox = Maildir/
2. Configure dovecot normally, but with the following setting:
 mail_location = maildir:~/Maildir
3. Deliver mail to postfix.

Actual results:

Following errors logged...

lda(scott): Error: mmap(/home/scott/Maildir/dovecot.index.log) failed: Permission denied (euid=507(scott) egid=100(users) UNIX perms appear ok (ACL/MAC wrong?))

Expected results:

Mail delivered without errors.

Additional info:

Adding the following permits normal mail delivery without errors

allow dovecot_deliver_t mail_home_rw_t:file map;

Comment 1 Fedora Update System 2018-02-20 11:16:04 UTC

selinux-policy-3.13.1-283.26.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2

Comment 2 Fedora Update System 2018-02-20 18:19:50 UTC

selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2

Comment 3 Fedora Update System 2018-02-27 17:22:17 UTC

selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.