Bug 1615058 - f28 dovecot-2.2.36-1.fc28.x86_64 won't allow imap login from f27 thunderbird
Summary: f28 dovecot-2.2.36-1.fc28.x86_64 won't allow imap login from f27 thunderbird
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-11 23:24 UTC by Doug Maxey
Modified: 2018-09-11 16:56 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.14.1-42.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1615236 (view as bug list)
Environment:
Last Closed: 2018-09-11 16:56:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Doug Maxey 2018-08-11 23:24:46 UTC
Description of problem:
Upgraded mail server to F28 the start the site conversion to the lastest Fedora.

Working thunderbird imap connection to dovecot on server stopped logging in correctly.

Version-Release number of selected component (if applicable):
dovecot-2.2.36-1.fc28.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:
...
Aug 11 18:02:26 master: Warning: Corrected permissions for login directory /var/run/dovecot/token-login
Aug 11 18:02:26 master: Info: Dovecot v2.2.36 (1f10bfa63) starting up for imap
Aug 11 18:03:42 auth: Error: net_connect_unix(auth-worker) in directory /run/dovecot failed: Permission denied (euid=0(root) egi
d=0(root) missing +w perm: /run/dovecot/auth-worker)
Aug 11 18:06:12 auth: Error: plain(myself,10.41.86.188,<Ekkg3zBzxtwKKVa8>): Request 16960.1 timed out after 150 secs, state=1
Aug 11 18:06:12 auth: Error: plain(myself,10.41.86.188,<osEg3zBzyNwKKVa8>): Request 16962.1 timed out after 150 secs, state=1
Aug 11 18:06:12 auth: Error: plain(myself,10.41.86.188,<fpkh3zBzytwKKVa8>): Request 16964.1 timed out after 150 secs, state=1
Aug 11 18:06:42 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 180 
secs): user=<>, method=PLAIN, rip=10.41.86.188, lip=10.41.86.187, TLS, session=<Ekkg3zBzxtwKKVa8>
Aug 11 18:06:42 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 180 secs): user=<>, method=PLAIN, rip=10.41.86.188, lip=10.41.86.187, TLS, session=<osEg3zBzyNwKKVa8>
Aug 11 18:06:42 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 180 secs): user=<>, method=PLAIN, rip=10.41.86.188, lip=10.41.86.187, TLS, session=<fpkh3zBzytwKKVa8>
Aug 11 18:08:09 auth: Error: plain(myself,10.41.86.188,<8Qka5jBz0NwKKVa8>): Request 16971.1 timed out after 150 secs, state=1
Aug 11 18:08:25 auth: Error: plain(myself,10.41.86.188,<iZIQ5zBz1NwKKVa8>): Request 16972.1 timed out after 150 secs, state=1
Aug 11 18:08:25 auth: Error: plain(myself,10.41.86.188,<jWQR5zBz1twKKVa8>): Request 16973.1 timed out after 150 secs, state=1
Aug 11 18:08:25 auth: Error: plain(myself,10.41.86.188,<zh8S5zBz2NwKKVa8>): Request 16974.1 timed out after 150 secs, state=1

...


Expected results:
Aug 09 03:04:17 imap-login: Info: Login: user=<myself>, method=PLAIN, rip=10.41.86.188, lip=10.41.86.187, mpid=31644, TLS, session=<6kLbEvxy9sEKKVa8>


Additional info:

note that it appears the user=<> was normally user=<myself> when it did work in the f27 version of dovecot.  which may be related to the /run/dovecot/token-login and /run/dovecot/auth-worker messages.

Comment 1 Michal Hlavinka 2018-08-13 15:53:07 UTC
do you have selinux enabled?
could you try to reproduce this with selinux in permissive mode?
thanks

Comment 2 Doug Maxey 2018-08-13 19:01:31 UTC
How does one enable permissive for just dovecot?

Comment 3 Doug Maxey 2018-08-13 21:30:16 UTC
(In reply to Michal Hlavinka from comment #1)
> do you have selinux enabled?
> could you try to reproduce this with selinux in permissive mode?
> thanks

It took the big hammer, as I could not successfully just enable permissive for dovecot related auths, but 'setenforce 0' did enable logging in from thunderbird.  So it is a selinux issue.

Comment 4 Doug Maxey 2018-08-13 21:42:38 UTC
See related bug 1615236.

Comment 5 Michal Hlavinka 2018-08-14 08:20:02 UTC
Check if you see any related selinux messages:

# journalctl -b | grep denied

Option -b limits messages to "since last boot", so it expects that you tried to reproduce this since last boot, to get the messages. With permissive mode you can get more messages (if there is more than 1 problem, with selinux in enforcing, it would stop after the first one and not log the second denial). This should help selinux maintainers to fix this. Also please check what selinux-policy version do you have installed.

Anyway, reassigning to selinux.

Comment 6 Doug Maxey 2018-08-15 02:19:08 UTC
nothing at all selinux related, either in messages or audit.log. 

I tried to remove the dontaudit for the dovecot related policies

# for d in  dovecot_auth_t dovecot_deliver_t dovecot_t; do echo $d:; semanage permissive -a $d; done
syncing...done
dovecot_auth_t:
OSError: [Errno 93] Protocol not supported
dovecot_deliver_t:
OSError: [Errno 93] Protocol not supported
dovecot_t:
OSError: [Errno 93] Protocol not supported

Also tried 
semodule -DB; start dovecot; stop dovecot; semodule -B

with no AVC indications at all.

Comment 7 Doug Maxey 2018-08-15 03:47:50 UTC
(In reply to Doug Maxey from comment #6)
> ***nothing at all*** selinux related, either in messages or audit.log. 
> 
> I tried to remove the dontaudit for the dovecot related policies
> 
> # for d in  dovecot_auth_t dovecot_deliver_t dovecot_t; do echo $d:;
> semanage permissive -a $d; done
>...
>
> Also tried 
> semodule -DB; start dovecot; stop dovecot; semodule -B
> 
> with no AVC indications at all.

meh.  A very long time ago, was getting loads of audit spam, and found that disabling auditd with the kernel line 'audit=0' worked.  Never backed it out, so it has been in effect for over a year.

Removing that commandline option has enabled the successful use of semanage permissive.  Trying it all again to gather messages... :/

Comment 8 Doug Maxey 2018-08-15 03:59:37 UTC
Now have a message when thunderbird attempts to connect

# ausearch -m AVC -ts recent
----
time->Tue Aug 14 22:50:24 2018
type=AVC msg=audit(1534305024.157:310): avc:  denied  { dac_override } for  pid=2436 comm="auth" capability=1  scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability permissive=1

Comment 9 Doug Maxey 2018-08-17 05:35:53 UTC
More avcs while running permissive with dontaudit disabled:

ausearch -m AVC,USER_AVC,SELINUX_ERR -ts "14:44:33" -i |tee /var/log/audit/dovecot 
----
type=AVC msg=audit(08/16/2018 14:44:45.736:936) : avc:  denied  { noatsecure } for  pid=17639 comm=sendmail scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 
----
type=AVC msg=audit(08/16/2018 14:44:45.737:937) : avc:  denied  { rlimitinh } for  pid=17639 comm=dovecot-lda scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 
----
type=AVC msg=audit(08/16/2018 14:44:45.737:938) : avc:  denied  { siginh } for  pid=17639 comm=dovecot-lda scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 
----
type=AVC msg=audit(08/16/2018 14:44:45.745:939) : avc:  denied  { dac_override } for  pid=17547 comm=auth capability=dac_override  scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(08/16/2018 14:44:45.747:940) : avc:  denied  { noatsecure } for  pid=17640 comm=dovecot scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 
----
type=AVC msg=audit(08/16/2018 14:44:45.747:941) : avc:  denied  { rlimitinh } for  pid=17640 comm=auth scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 
----
type=AVC msg=audit(08/16/2018 14:44:45.747:942) : avc:  denied  { siginh } for  pid=17640 comm=auth scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 
----

Comment 10 Doug Maxey 2018-08-26 00:21:41 UTC
With permissive still set for things dovecot, turned off dontaudit long enough to capture more details.  Sent an email, and started thunderbird.

Here is the results when passed through audit2allow:

# ausearch -m AVC -i -ts recent |audit2allow -m dovecot > dovecot.te
# cat dovecot.te 

module dovecot 1.0;

require {
	type chkpwd_t;
	type sendmail_t;
	type dovecot_deliver_t;
	type dovecot_t;
	type dovecot_auth_t;
	class process { noatsecure rlimitinh siginh };
	class capability dac_override;
}

#============= dovecot_auth_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow dovecot_auth_t chkpwd_t:process { noatsecure rlimitinh siginh };
allow dovecot_auth_t self:capability dac_override;

#============= dovecot_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow dovecot_t dovecot_auth_t:process { noatsecure rlimitinh siginh };

#============= sendmail_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow sendmail_t dovecot_deliver_t:process { noatsecure rlimitinh siginh };

Comment 11 Fedora Update System 2018-09-06 21:57:33 UTC
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 12 Fedora Update System 2018-09-07 17:13:02 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 13 Doug Maxey 2018-09-10 00:34:55 UTC
I keep my /etc files in a local git repo.  With this update installed, see this:

. M etc/selinux/config
 D etc/selinux/targeted/.policy.sha512
 D etc/selinux/targeted/booleans.subs_dist
 D etc/selinux/targeted/contexts/customizable_types
 D etc/selinux/targeted/contexts/dbus_contexts
 D etc/selinux/targeted/contexts/default_contexts
 D etc/selinux/targeted/contexts/default_type
 D etc/selinux/targeted/contexts/failsafe_context
 D etc/selinux/targeted/contexts/files/file_contexts
 D etc/selinux/targeted/contexts/files/file_contexts.homedirs
 D etc/selinux/targeted/contexts/files/file_contexts.local
 D etc/selinux/targeted/contexts/files/file_contexts.subs
 D etc/selinux/targeted/contexts/files/file_contexts.subs_dist
 D etc/selinux/targeted/contexts/files/media
 D etc/selinux/targeted/contexts/initrc_context
 D etc/selinux/targeted/contexts/lxc_contexts
 D etc/selinux/targeted/contexts/openssh_contexts
 D etc/selinux/targeted/contexts/removable_context
 D etc/selinux/targeted/contexts/securetty_types
 D etc/selinux/targeted/contexts/sepgsql_contexts
 D etc/selinux/targeted/contexts/snapperd_contexts
 D etc/selinux/targeted/contexts/systemd_contexts
 D etc/selinux/targeted/contexts/userhelper_context
 D etc/selinux/targeted/contexts/users/guest_u
 D etc/selinux/targeted/contexts/users/root
 D etc/selinux/targeted/contexts/users/staff_u
 D etc/selinux/targeted/contexts/users/sysadm_u
 D etc/selinux/targeted/contexts/users/unconfined_u
 D etc/selinux/targeted/contexts/users/user_u
 D etc/selinux/targeted/contexts/users/xguest_u
 D etc/selinux/targeted/contexts/virtual_domain_context
 D etc/selinux/targeted/contexts/virtual_image_context
 D etc/selinux/targeted/contexts/x_contexts
 D etc/selinux/targeted/setrans.conf
 D etc/selinux/targeted/seusers
 D usr/bin/sepolgen-ifgen
 D usr/bin/sepolicy
?? etc/selinux/targeted/contexts/files/file_contexts.local.rpmsave

Is this expected?

Comment 14 Doug Maxey 2018-09-10 00:41:12 UTC
(In reply to Doug Maxey from comment #13)

Disregard the above.  See where I used a wrong invocation for the update.

Comment 15 Fedora Update System 2018-09-11 16:56:29 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.