Bug 158086 - dovecot won't start from init script due to selinux errors
dovecot won't start from init script due to selinux errors
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-18 11:09 EDT by Thomas J. Baker
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-02 15:41:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas J. Baker 2005-05-18 11:09:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

Description of problem:
FC4T3 install plus May17 updates. Dovecot won't start from the /etc/init.d/dovecot script. Audit log says

type=AVC msg=audit(1116428511.409:13273466): avc:  denied  { read } for  name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116428511.409:13273466): syscall=21 arch=c000003e success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=29730 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot exe=/usr/sbin/dovecot
type=PATH msg=audit(1116428511.409:13273466): item=0 name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00

Strangely, it starts fine from the command line if I just run dovecot as root.

Version-Release number of selected component (if applicable):
dovecot-0.99.14-4.fc4, selinux-policy-targeted-1.23.14-2

How reproducible:
Always

Steps to Reproduce:
1. install dovecot
2. try to start it
3.
  

Actual Results:  dovecot fails to start

Expected Results:  dovecot starts

Additional info:

You actually can't even see the errors until you install audit-0.8.1 due to bug #158011
Comment 1 Daniel Walsh 2005-05-18 14:01:22 EDT
chcon -t dovecot_cert_t /etc/pki/dovecot/dovecot.pem

Should fix it.  I will modify policy to fix this problem.

selinux-policy-*-1.23.16-4
Comment 2 Thomas J. Baker 2005-05-20 09:38:09 EDT
I did the chcon and have the new policy and it still fails:

[tjb@wintermute policy]# ls -lZ /etc/pki/dovecot/dovecot.pem
-rw-------  root     root     system_u:object_r:dovecot_cert_t
/etc/pki/dovecot/dovecot.pem
[tjb@wintermute policy]#


type=AVC msg=audit(1116596209.572:5451329): avc:  denied  { read } for 
name=dovecot.pem dev=dm-0 ino=200601 scontext=root:system_r:dovecot_t
tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116596209.572:5451329): syscall=21 arch=c000003e
success=no exit=-13 a0=521588 a1=4 a2=410e77 a3=6f items=1 pid=8022 loginuid=-1
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot
exe=/usr/sbin/dovecot
type=PATH msg=audit(1116596209.572:5451329): item=0
name="/etc/pki/dovecot/private/dovecot.pem" inode=200601 dev=fd:00 mode=0100600
ouid=0 ogid=0 rdev=00:00
Comment 3 Thomas J. Baker 2005-05-20 09:39:02 EDT
P.S. The thing I don't understand is that if I start it by hand, just "dovecot"
as root, it works fine.
Comment 4 Daniel Walsh 2005-05-20 09:57:31 EDT
chcon -R -t dovecot_cert_t /etc/pki/dovecot

When you run the service out of the service script it is protected via SELinux,
 when you run it by hand directly it runs under the default context. 
(Unconfined_t).
Comment 5 Daniel Walsh 2005-05-20 10:01:51 EDT
Actually 

restorecon -R -v /etc/pki should fix it also.

Dan
Comment 6 Thomas J. Baker 2005-05-20 10:25:14 EDT
Still no dice:

[tjb@wintermute tjb]# restorecon -R -v /etc/pki
restorecon reset /etc/pki/dovecot/dovecot.pem context
system_u:object_r:dovecot_cert_t->system_u:object_r:cert_t
[tjb@wintermute tjb]# /etc/init.d/dovecot stop
Stopping Dovecot Imap:                                     [  OK  ]
[tjb@wintermute tjb]# /etc/init.d/dovecot start
Starting Dovecot Imap:                                     [FAILED]
[tjb@wintermute tjb]#


type=AVC msg=audit(1116598755.720:12031051): avc:  denied  { read } for 
name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t
tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116598755.720:12031051): syscall=21 arch=c000003e
success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=10363 loginuid=-1
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot
exe=/usr/sbin/dovecot
type=PATH msg=audit(1116598755.720:12031051): item=0
name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0
ogid=0 rdev=00:00

On running from the init script versus command line, how is the context applied
when running from the script?  The daemon command invokes a new context and
somehow dovecot policy is applied to it? (Excuse the lack of better terms...)
Comment 7 Daniel Walsh 2005-05-20 11:34:31 EDT
Ok we have a problem in policy then.

/etc/pki/dovecot 

do 

chcon -R -t dovecot_cert_t /etc/pki/dovecot

And it should work.  I will look at policy but the restorecon should have done
the equivalent.


The rules say that when running an init script say

unconfined_t -> initrc_exec_t -> initrc_t

initrc_t -> dovecot_exec_t -> dovecot_t

ls -lZ /etc/init.d/dovecot
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t  /etc/init.d/dovecot


When run directly

unconfined_t -> dovecot_exec_t -> unconfined_t
Comment 8 Andreas Simon 2005-05-26 18:38:23 EDT
I had the same problem here.

chcon -R -t dovecot_cert_t /etc/pki/dovecot

fixed the issue here. Dovecot now starts fine from the init.d script.
This is with selinux-policy-targeted-1.23.16-6.

(Dovecot still can't actually access my mails, but this seems to be unrelated to
this bug, because my mails are on a reiserfs partition, which is known to not
work with selinux. I expect this issue to go away when I change my /home to ext3
this weekend:

type=PATH msg=audit(1117146764.477:4455248): item=0 name="/home/andreas" inode=3
dev=fd:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00
type=SYSCALL msg=audit(1117146764.477:4455248): arch=40000003 syscall=12
success=no exit=-13 a0=9e21653 a1=0 a2=3e8 a3=9e20f9c items=1 pid=3236
auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0
comm="dovecot" exe="/usr/sbin/dovecot"
type=AVC msg=audit(1117146764.477:4455248): avc:  denied  { search } for 
pid=3236 comm="dovecot" name=andreas dev=dm-2 ino=3
scontext=root:system_r:dovecot_t tcontext=system_u:object_r:file_t tclass=dir
)

Thanks.
Comment 9 Adam Thompson 2005-06-26 10:35:07 EDT
FYI, running FC4-release (fully updated as of right now).

selinux-policy-targeted is somehow fubar'd with respect to the
/etc/pki/dovecot/* entries.

I have selinux-policy-targeted-source installed, and have manually verified that
the policy appears to be correct:

/etc/selinux/targeted/src/policy/file_contexts/file_contexts:/etc/pki/dovecot(/.*)?
system_u:object_r:dovecot_cert_t

...but running restorecon (or setfiles) does NOT correctly apply that context:
[root@server selinux]# cd /etc/pki/dovecot/
[root@server dovecot]# ls -lZ
-rw-r--r--  root     root     system_u:object_r:cert_t         dovecot-openssl.cnf
-rw-------  root     root     system_u:object_r:cert_t         dovecot.pem
drwxr-xr-x  root     root     system_u:object_r:cert_t         private/


Now, if I do "chcon -R -t dovecot_cert_t .",  everything seems just fine. 
Question is, why/how is targeted policy broken and not applying properly?

Comment 10 Daniel Walsh 2005-06-27 07:06:35 EDT
There is an ordering problem in the file_context file.  This is fixed in
selinux-policy-targeted-1.23.18-17.src.rpm
Comment 11 Thomas J. Baker 2005-07-01 08:10:11 EDT
Seems fixed to me. Others concur?

Note You need to log in before you can comment on or make changes to this bug.