Bug 1578872 - SELinux is preventing dovecot from using the 'dac_override' capabilities.
Summary: SELinux is preventing dovecot from using the 'dac_override' capabilities.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:629dea9ed6dfe2c3adc5a318ce7...
: 1560704 1582729 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-16 14:19 UTC by John Griffiths
Modified: 2020-07-07 15:41 UTC (History)
19 users (show)

Fixed In Version: selinux-policy-3.14.1-36.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-29 03:22:44 UTC
Type: ---
alanh: needinfo-


Attachments (Terms of Use)

Description John Griffiths 2018-05-16 14:19:58 UTC
Description of problem:
Trying to start dovecot which uses the postfix authorization.
SELinux is preventing dovecot from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that dovecot should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
# semodule -X 300 -i my-dovecot.pp

Additional Information:
Source Context                system_u:system_r:dovecot_t:s0
Target Context                system_u:system_r:dovecot_t:s0
Target Objects                Unknown [ capability ]
Source                        dovecot
Source Path                   dovecot
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-24.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.8-300.fc28.x86_64 #1 SMP Wed
                              May 9 20:23:40 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-05-16 10:15:41 EDT
Last Seen                     2018-05-16 10:15:41 EDT
Local ID                      f720295c-da38-400c-a2db-9402d2869a53

Raw Audit Messages
type=AVC msg=audit(1526480141.321:6579): avc:  denied  { dac_override } for  pid=19839 comm="dovecot" capability=1  scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0


Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.14.1-24.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.8-300.fc28.x86_64
type:           libreport

Comment 1 W Agtail 2018-05-18 11:44:12 UTC
Description of problem:
systemctl restart dovecot
SELinux is preventing dovecot from starting due to various dac_override.
Thanks








Version-Release number of selected component:
selinux-policy-3.14.1-24.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.8-300.fc28.x86_64
type:           libreport

Comment 3 John Griffiths 2018-05-22 17:56:29 UTC
What info is needed?

Comment 4 Milos Malik 2018-05-23 08:02:47 UTC
# rpm -qa selinux-policy\* dovecot\* | sort
dovecot-2.2.35-2.fc28.x86_64
selinux-policy-3.14.1-24.fc28.noarch
selinux-policy-devel-3.14.1-24.fc28.noarch
selinux-policy-targeted-3.14.1-24.fc28.noarch
# ausearch -m avc -m user_avc -i
----
type=PROCTITLE msg=audit(05/23/2018 04:01:35.073:423) : proctitle=/usr/sbin/dovecot 
type=PATH msg=audit(05/23/2018 04:01:35.073:423) : item=0 name=/var/lib/dovecot/instances.lock nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/23/2018 04:01:35.073:423) : cwd=/run/dovecot 
type=SYSCALL msg=audit(05/23/2018 04:01:35.073:423) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x5628c3733f38 a1=0x7ffc44bb6950 a2=0x7ffc44bb6950 a3=0x23d8d86000000 items=1 ppid=1 pid=18673 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) 
type=AVC msg=audit(05/23/2018 04:01:35.073:423) : avc:  denied  { dac_override } for  pid=18673 comm=dovecot capability=dac_override  scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 
----

Comment 5 Milos Malik 2018-05-23 08:03:55 UTC
# ls -ld /var/lib/dovecot/
drwxr-x---. 2 dovecot dovecot 4096 May 23 04:01 /var/lib/dovecot/
# ls -ld /var/lib/dovecot/ssl-parameters.dat 
-rw-r--r--. 1 root root 230 May 23 04:01 /var/lib/dovecot/ssl-parameters.dat
# ls -l /var/lib/dovecot/
total 4
-rw-r--r--. 1 root root 230 May 23 04:01 ssl-parameters.dat
#

Comment 6 Alan Hamilton 2018-05-27 19:47:20 UTC
I ran it with path auditing enabled and got

time->Sun May 27 12:34:17 2018
type=PROCTITLE msg=audit(1527449657.919:196): proctitle="/usr/sbin/dovecot"
type=PATH msg=audit(1527449657.919:196): item=0 name="/var/run/dovecot/login/ipc-proxy" inode=103912 dev=00:16 mode=0140600 ouid=992 ogid=0 rdev=00:00 obj=system_u:object_r:dovecot_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

The issue is that processes lacking the dac_override SELinux permission have file permissions (rwx) enforced against them, even when running as root.

# ls -l /var/run/dovecot/login/ipc-proxy
srw-------. 1 dovenull root 0 May 27 12:34 /var/run/dovecot/login/ipc-proxy

A dovecot process running as root is expecting to be able to access this file, but that isn't true any more. The file (and some others created for user dovenull) should probably be created with permissions 660 rather than 600.

Comment 7 Lukas Vrabec 2018-06-03 13:17:25 UTC
Moving to dovecot. 

Issue is more on dovecot side thant in SELinux side. 

From following syscall we can see that dovecot runs as root:root:
type=SYSCALL msg=audit(05/23/2018 04:01:35.073:423) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x5628c3733f38 a1=0x7ffc44bb6950 a2=0x7ffc44bb6950 a3=0x23d8d86000000 items=1 ppid=1 pid=18673 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) 
type=AVC msg=audit(05/23/2018 04:01:35.073:423) : avc:  denied  { dac_override } for  pid=18673 comm=dovecot capability=dac_override  scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 

nad trying to access file:
drwxr-x---. 2 dovecot dovecot 4096 May 23 04:01 /var/lib/dovecot/

There are no permissions for others. In DAC could root access all objects on system, but not in MAC. 

Please fix permissions on /var/lib/dovecot.

Comment 8 Michal Hlavinka 2018-06-07 08:05:16 UTC
*** Bug 1582729 has been marked as a duplicate of this bug. ***

Comment 9 Michal Hlavinka 2018-06-07 08:05:54 UTC
*** Bug 1560704 has been marked as a duplicate of this bug. ***

Comment 10 Michal Hlavinka 2018-06-07 08:14:02 UTC
TLDR; dovecot needs dac_override capability

I've checked this and found out that the ownership and permissions as specified in the spec file are correct. If I change it to what was suggested, dovecot will complain and change it back. While it seems that this one (first) selinux denial message could be (maybe,theoretically) fixed, it will fail for other paths. Dovecot splits in a quite a few services (worker processes) and it's not possible to set the permissions and ownerships easily without creating a mess with many artificial ones and thats a no go. Dovecot itself is aware about this capability and that it requires it, see CapabilityBoundingSet at https://bit.ly/2sR2B3Y (this was later removed, as it broke some plugins that require even more)

Comment 11 Fedora Update System 2018-07-25 22:28:20 UTC
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 12 Fedora Update System 2018-07-26 16:30:48 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 13 Fedora Update System 2018-07-29 03:22:44 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Ali 2020-07-07 12:33:27 UTC
Hi all,
>Turn on full auditing
># auditctl -w /etc/shadow -p w

I cannot find this file in Android. How do I turn on fill auditing in Android.

Comment 15 Ali 2020-07-07 12:37:12 UTC
Hi all,
>Turn on full auditing
># auditctl -w /etc/shadow -p w

I cannot find this file in Android. How do I turn on fill auditing in Android.

Comment 16 Alan Hamilton 2020-07-07 15:40:42 UTC
(In reply to Ali from comment #15)
> I cannot find this file in Android. How do I turn on fill auditing in
> Android.

This is the bug tracker for the Fedora and Red Hat Linux distributions. Android issues are over at https://issuetracker.google.com/


Note You need to log in before you can comment on or make changes to this bug.