From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4 Description of problem: FC4T3 install plus May17 updates. Dovecot won't start from the /etc/init.d/dovecot script. Audit log says type=AVC msg=audit(1116428511.409:13273466): avc: denied { read } for name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file type=SYSCALL msg=audit(1116428511.409:13273466): syscall=21 arch=c000003e success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=29730 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot exe=/usr/sbin/dovecot type=PATH msg=audit(1116428511.409:13273466): item=0 name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 Strangely, it starts fine from the command line if I just run dovecot as root. Version-Release number of selected component (if applicable): dovecot-0.99.14-4.fc4, selinux-policy-targeted-1.23.14-2 How reproducible: Always Steps to Reproduce: 1. install dovecot 2. try to start it 3. Actual Results: dovecot fails to start Expected Results: dovecot starts Additional info: You actually can't even see the errors until you install audit-0.8.1 due to bug #158011
chcon -t dovecot_cert_t /etc/pki/dovecot/dovecot.pem Should fix it. I will modify policy to fix this problem. selinux-policy-*-1.23.16-4
I did the chcon and have the new policy and it still fails: [tjb@wintermute policy]# ls -lZ /etc/pki/dovecot/dovecot.pem -rw------- root root system_u:object_r:dovecot_cert_t /etc/pki/dovecot/dovecot.pem [tjb@wintermute policy]# type=AVC msg=audit(1116596209.572:5451329): avc: denied { read } for name=dovecot.pem dev=dm-0 ino=200601 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file type=SYSCALL msg=audit(1116596209.572:5451329): syscall=21 arch=c000003e success=no exit=-13 a0=521588 a1=4 a2=410e77 a3=6f items=1 pid=8022 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot exe=/usr/sbin/dovecot type=PATH msg=audit(1116596209.572:5451329): item=0 name="/etc/pki/dovecot/private/dovecot.pem" inode=200601 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
P.S. The thing I don't understand is that if I start it by hand, just "dovecot" as root, it works fine.
chcon -R -t dovecot_cert_t /etc/pki/dovecot When you run the service out of the service script it is protected via SELinux, when you run it by hand directly it runs under the default context. (Unconfined_t).
Actually restorecon -R -v /etc/pki should fix it also. Dan
Still no dice: [tjb@wintermute tjb]# restorecon -R -v /etc/pki restorecon reset /etc/pki/dovecot/dovecot.pem context system_u:object_r:dovecot_cert_t->system_u:object_r:cert_t [tjb@wintermute tjb]# /etc/init.d/dovecot stop Stopping Dovecot Imap: [ OK ] [tjb@wintermute tjb]# /etc/init.d/dovecot start Starting Dovecot Imap: [FAILED] [tjb@wintermute tjb]# type=AVC msg=audit(1116598755.720:12031051): avc: denied { read } for name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file type=SYSCALL msg=audit(1116598755.720:12031051): syscall=21 arch=c000003e success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=10363 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot exe=/usr/sbin/dovecot type=PATH msg=audit(1116598755.720:12031051): item=0 name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 On running from the init script versus command line, how is the context applied when running from the script? The daemon command invokes a new context and somehow dovecot policy is applied to it? (Excuse the lack of better terms...)
Ok we have a problem in policy then. /etc/pki/dovecot do chcon -R -t dovecot_cert_t /etc/pki/dovecot And it should work. I will look at policy but the restorecon should have done the equivalent. The rules say that when running an init script say unconfined_t -> initrc_exec_t -> initrc_t initrc_t -> dovecot_exec_t -> dovecot_t ls -lZ /etc/init.d/dovecot -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/init.d/dovecot When run directly unconfined_t -> dovecot_exec_t -> unconfined_t
I had the same problem here. chcon -R -t dovecot_cert_t /etc/pki/dovecot fixed the issue here. Dovecot now starts fine from the init.d script. This is with selinux-policy-targeted-1.23.16-6. (Dovecot still can't actually access my mails, but this seems to be unrelated to this bug, because my mails are on a reiserfs partition, which is known to not work with selinux. I expect this issue to go away when I change my /home to ext3 this weekend: type=PATH msg=audit(1117146764.477:4455248): item=0 name="/home/andreas" inode=3 dev=fd:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00 type=SYSCALL msg=audit(1117146764.477:4455248): arch=40000003 syscall=12 success=no exit=-13 a0=9e21653 a1=0 a2=3e8 a3=9e20f9c items=1 pid=3236 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" type=AVC msg=audit(1117146764.477:4455248): avc: denied { search } for pid=3236 comm="dovecot" name=andreas dev=dm-2 ino=3 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:file_t tclass=dir ) Thanks.
FYI, running FC4-release (fully updated as of right now). selinux-policy-targeted is somehow fubar'd with respect to the /etc/pki/dovecot/* entries. I have selinux-policy-targeted-source installed, and have manually verified that the policy appears to be correct: /etc/selinux/targeted/src/policy/file_contexts/file_contexts:/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t ...but running restorecon (or setfiles) does NOT correctly apply that context: [root@server selinux]# cd /etc/pki/dovecot/ [root@server dovecot]# ls -lZ -rw-r--r-- root root system_u:object_r:cert_t dovecot-openssl.cnf -rw------- root root system_u:object_r:cert_t dovecot.pem drwxr-xr-x root root system_u:object_r:cert_t private/ Now, if I do "chcon -R -t dovecot_cert_t .", everything seems just fine. Question is, why/how is targeted policy broken and not applying properly?
There is an ordering problem in the file_context file. This is fixed in selinux-policy-targeted-1.23.18-17.src.rpm
Seems fixed to me. Others concur?