158086 – dovecot won't start from init script due to selinux errors

Bug 158086 - dovecot won't start from init script due to selinux errors

Summary: dovecot won't start from init script due to selinux errors

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-05-18 15:09 UTC by Thomas J. Baker
Modified:	2007-11-30 22:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-02 19:41:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Thomas J. Baker 2005-05-18 15:09:00 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

Description of problem:
FC4T3 install plus May17 updates. Dovecot won't start from the /etc/init.d/dovecot script. Audit log says

type=AVC msg=audit(1116428511.409:13273466): avc:  denied  { read } for  name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116428511.409:13273466): syscall=21 arch=c000003e success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=29730 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot exe=/usr/sbin/dovecot
type=PATH msg=audit(1116428511.409:13273466): item=0 name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00

Strangely, it starts fine from the command line if I just run dovecot as root.

Version-Release number of selected component (if applicable):
dovecot-0.99.14-4.fc4, selinux-policy-targeted-1.23.14-2

How reproducible:
Always

Steps to Reproduce:
1. install dovecot
2. try to start it
3.
  

Actual Results:  dovecot fails to start

Expected Results:  dovecot starts

Additional info:

You actually can't even see the errors until you install audit-0.8.1 due to bug #158011

Comment 1 Daniel Walsh 2005-05-18 18:01:22 UTC

chcon -t dovecot_cert_t /etc/pki/dovecot/dovecot.pem

Should fix it.  I will modify policy to fix this problem.

selinux-policy-*-1.23.16-4

Comment 2 Thomas J. Baker 2005-05-20 13:38:09 UTC

I did the chcon and have the new policy and it still fails:

[tjb@wintermute policy]# ls -lZ /etc/pki/dovecot/dovecot.pem
-rw-------  root     root     system_u:object_r:dovecot_cert_t
/etc/pki/dovecot/dovecot.pem
[tjb@wintermute policy]#


type=AVC msg=audit(1116596209.572:5451329): avc:  denied  { read } for 
name=dovecot.pem dev=dm-0 ino=200601 scontext=root:system_r:dovecot_t
tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116596209.572:5451329): syscall=21 arch=c000003e
success=no exit=-13 a0=521588 a1=4 a2=410e77 a3=6f items=1 pid=8022 loginuid=-1
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot
exe=/usr/sbin/dovecot
type=PATH msg=audit(1116596209.572:5451329): item=0
name="/etc/pki/dovecot/private/dovecot.pem" inode=200601 dev=fd:00 mode=0100600
ouid=0 ogid=0 rdev=00:00

Comment 3 Thomas J. Baker 2005-05-20 13:39:02 UTC

P.S. The thing I don't understand is that if I start it by hand, just "dovecot"
as root, it works fine.

Comment 4 Daniel Walsh 2005-05-20 13:57:31 UTC

chcon -R -t dovecot_cert_t /etc/pki/dovecot

When you run the service out of the service script it is protected via SELinux,
 when you run it by hand directly it runs under the default context. 
(Unconfined_t).

Comment 5 Daniel Walsh 2005-05-20 14:01:51 UTC

Actually 

restorecon -R -v /etc/pki should fix it also.

Dan

Comment 6 Thomas J. Baker 2005-05-20 14:25:14 UTC

Still no dice:

[tjb@wintermute tjb]# restorecon -R -v /etc/pki
restorecon reset /etc/pki/dovecot/dovecot.pem context
system_u:object_r:dovecot_cert_t->system_u:object_r:cert_t
[tjb@wintermute tjb]# /etc/init.d/dovecot stop
Stopping Dovecot Imap:                                     [  OK  ]
[tjb@wintermute tjb]# /etc/init.d/dovecot start
Starting Dovecot Imap:                                     [FAILED]
[tjb@wintermute tjb]#


type=AVC msg=audit(1116598755.720:12031051): avc:  denied  { read } for 
name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t
tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116598755.720:12031051): syscall=21 arch=c000003e
success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=10363 loginuid=-1
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot
exe=/usr/sbin/dovecot
type=PATH msg=audit(1116598755.720:12031051): item=0
name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0
ogid=0 rdev=00:00

On running from the init script versus command line, how is the context applied
when running from the script?  The daemon command invokes a new context and
somehow dovecot policy is applied to it? (Excuse the lack of better terms...)

Comment 7 Daniel Walsh 2005-05-20 15:34:31 UTC

Ok we have a problem in policy then.

/etc/pki/dovecot 

do 

chcon -R -t dovecot_cert_t /etc/pki/dovecot

And it should work.  I will look at policy but the restorecon should have done
the equivalent.


The rules say that when running an init script say

unconfined_t -> initrc_exec_t -> initrc_t

initrc_t -> dovecot_exec_t -> dovecot_t

ls -lZ /etc/init.d/dovecot
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t  /etc/init.d/dovecot


When run directly

unconfined_t -> dovecot_exec_t -> unconfined_t

Comment 8 Andreas Simon 2005-05-26 22:38:23 UTC

I had the same problem here.

chcon -R -t dovecot_cert_t /etc/pki/dovecot

fixed the issue here. Dovecot now starts fine from the init.d script.
This is with selinux-policy-targeted-1.23.16-6.

(Dovecot still can't actually access my mails, but this seems to be unrelated to
this bug, because my mails are on a reiserfs partition, which is known to not
work with selinux. I expect this issue to go away when I change my /home to ext3
this weekend:

type=PATH msg=audit(1117146764.477:4455248): item=0 name="/home/andreas" inode=3
dev=fd:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00
type=SYSCALL msg=audit(1117146764.477:4455248): arch=40000003 syscall=12
success=no exit=-13 a0=9e21653 a1=0 a2=3e8 a3=9e20f9c items=1 pid=3236
auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0
comm="dovecot" exe="/usr/sbin/dovecot"
type=AVC msg=audit(1117146764.477:4455248): avc:  denied  { search } for 
pid=3236 comm="dovecot" name=andreas dev=dm-2 ino=3
scontext=root:system_r:dovecot_t tcontext=system_u:object_r:file_t tclass=dir
)

Thanks.

Comment 9 Adam Thompson 2005-06-26 14:35:07 UTC

FYI, running FC4-release (fully updated as of right now).

selinux-policy-targeted is somehow fubar'd with respect to the
/etc/pki/dovecot/* entries.

I have selinux-policy-targeted-source installed, and have manually verified that
the policy appears to be correct:

/etc/selinux/targeted/src/policy/file_contexts/file_contexts:/etc/pki/dovecot(/.*)?
system_u:object_r:dovecot_cert_t

...but running restorecon (or setfiles) does NOT correctly apply that context:
[root@server selinux]# cd /etc/pki/dovecot/
[root@server dovecot]# ls -lZ
-rw-r--r--  root     root     system_u:object_r:cert_t         dovecot-openssl.cnf
-rw-------  root     root     system_u:object_r:cert_t         dovecot.pem
drwxr-xr-x  root     root     system_u:object_r:cert_t         private/


Now, if I do "chcon -R -t dovecot_cert_t .",  everything seems just fine. 
Question is, why/how is targeted policy broken and not applying properly?

Comment 10 Daniel Walsh 2005-06-27 11:06:35 UTC

There is an ordering problem in the file_context file.  This is fixed in
selinux-policy-targeted-1.23.18-17.src.rpm

Comment 11 Thomas J. Baker 2005-07-01 12:10:11 UTC

Seems fixed to me. Others concur?

Note You need to log in before you can comment on or make changes to this bug.