Description of problem: Upgraded mail server to F28 the start the site conversion to the lastest Fedora. Working thunderbird imap connection to dovecot on server stopped logging in correctly. Version-Release number of selected component (if applicable): dovecot-2.2.36-1.fc28.x86_64 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: ... Aug 11 18:02:26 master: Warning: Corrected permissions for login directory /var/run/dovecot/token-login Aug 11 18:02:26 master: Info: Dovecot v2.2.36 (1f10bfa63) starting up for imap Aug 11 18:03:42 auth: Error: net_connect_unix(auth-worker) in directory /run/dovecot failed: Permission denied (euid=0(root) egi d=0(root) missing +w perm: /run/dovecot/auth-worker) Aug 11 18:06:12 auth: Error: plain(myself,10.41.86.188,<Ekkg3zBzxtwKKVa8>): Request 16960.1 timed out after 150 secs, state=1 Aug 11 18:06:12 auth: Error: plain(myself,10.41.86.188,<osEg3zBzyNwKKVa8>): Request 16962.1 timed out after 150 secs, state=1 Aug 11 18:06:12 auth: Error: plain(myself,10.41.86.188,<fpkh3zBzytwKKVa8>): Request 16964.1 timed out after 150 secs, state=1 Aug 11 18:06:42 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 180 secs): user=<>, method=PLAIN, rip=10.41.86.188, lip=10.41.86.187, TLS, session=<Ekkg3zBzxtwKKVa8> Aug 11 18:06:42 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 180 secs): user=<>, method=PLAIN, rip=10.41.86.188, lip=10.41.86.187, TLS, session=<osEg3zBzyNwKKVa8> Aug 11 18:06:42 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 180 secs): user=<>, method=PLAIN, rip=10.41.86.188, lip=10.41.86.187, TLS, session=<fpkh3zBzytwKKVa8> Aug 11 18:08:09 auth: Error: plain(myself,10.41.86.188,<8Qka5jBz0NwKKVa8>): Request 16971.1 timed out after 150 secs, state=1 Aug 11 18:08:25 auth: Error: plain(myself,10.41.86.188,<iZIQ5zBz1NwKKVa8>): Request 16972.1 timed out after 150 secs, state=1 Aug 11 18:08:25 auth: Error: plain(myself,10.41.86.188,<jWQR5zBz1twKKVa8>): Request 16973.1 timed out after 150 secs, state=1 Aug 11 18:08:25 auth: Error: plain(myself,10.41.86.188,<zh8S5zBz2NwKKVa8>): Request 16974.1 timed out after 150 secs, state=1 ... Expected results: Aug 09 03:04:17 imap-login: Info: Login: user=<myself>, method=PLAIN, rip=10.41.86.188, lip=10.41.86.187, mpid=31644, TLS, session=<6kLbEvxy9sEKKVa8> Additional info: note that it appears the user=<> was normally user=<myself> when it did work in the f27 version of dovecot. which may be related to the /run/dovecot/token-login and /run/dovecot/auth-worker messages.
do you have selinux enabled? could you try to reproduce this with selinux in permissive mode? thanks
How does one enable permissive for just dovecot?
(In reply to Michal Hlavinka from comment #1) > do you have selinux enabled? > could you try to reproduce this with selinux in permissive mode? > thanks It took the big hammer, as I could not successfully just enable permissive for dovecot related auths, but 'setenforce 0' did enable logging in from thunderbird. So it is a selinux issue.
See related bug 1615236.
Check if you see any related selinux messages: # journalctl -b | grep denied Option -b limits messages to "since last boot", so it expects that you tried to reproduce this since last boot, to get the messages. With permissive mode you can get more messages (if there is more than 1 problem, with selinux in enforcing, it would stop after the first one and not log the second denial). This should help selinux maintainers to fix this. Also please check what selinux-policy version do you have installed. Anyway, reassigning to selinux.
nothing at all selinux related, either in messages or audit.log. I tried to remove the dontaudit for the dovecot related policies # for d in dovecot_auth_t dovecot_deliver_t dovecot_t; do echo $d:; semanage permissive -a $d; done syncing...done dovecot_auth_t: OSError: [Errno 93] Protocol not supported dovecot_deliver_t: OSError: [Errno 93] Protocol not supported dovecot_t: OSError: [Errno 93] Protocol not supported Also tried semodule -DB; start dovecot; stop dovecot; semodule -B with no AVC indications at all.
(In reply to Doug Maxey from comment #6) > ***nothing at all*** selinux related, either in messages or audit.log. > > I tried to remove the dontaudit for the dovecot related policies > > # for d in dovecot_auth_t dovecot_deliver_t dovecot_t; do echo $d:; > semanage permissive -a $d; done >... > > Also tried > semodule -DB; start dovecot; stop dovecot; semodule -B > > with no AVC indications at all. meh. A very long time ago, was getting loads of audit spam, and found that disabling auditd with the kernel line 'audit=0' worked. Never backed it out, so it has been in effect for over a year. Removing that commandline option has enabled the successful use of semanage permissive. Trying it all again to gather messages... :/
Now have a message when thunderbird attempts to connect # ausearch -m AVC -ts recent ---- time->Tue Aug 14 22:50:24 2018 type=AVC msg=audit(1534305024.157:310): avc: denied { dac_override } for pid=2436 comm="auth" capability=1 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability permissive=1
More avcs while running permissive with dontaudit disabled: ausearch -m AVC,USER_AVC,SELINUX_ERR -ts "14:44:33" -i |tee /var/log/audit/dovecot ---- type=AVC msg=audit(08/16/2018 14:44:45.736:936) : avc: denied { noatsecure } for pid=17639 comm=sendmail scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.737:937) : avc: denied { rlimitinh } for pid=17639 comm=dovecot-lda scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.737:938) : avc: denied { siginh } for pid=17639 comm=dovecot-lda scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.745:939) : avc: denied { dac_override } for pid=17547 comm=auth capability=dac_override scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.747:940) : avc: denied { noatsecure } for pid=17640 comm=dovecot scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.747:941) : avc: denied { rlimitinh } for pid=17640 comm=auth scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 ---- type=AVC msg=audit(08/16/2018 14:44:45.747:942) : avc: denied { siginh } for pid=17640 comm=auth scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 ----
With permissive still set for things dovecot, turned off dontaudit long enough to capture more details. Sent an email, and started thunderbird. Here is the results when passed through audit2allow: # ausearch -m AVC -i -ts recent |audit2allow -m dovecot > dovecot.te # cat dovecot.te module dovecot 1.0; require { type chkpwd_t; type sendmail_t; type dovecot_deliver_t; type dovecot_t; type dovecot_auth_t; class process { noatsecure rlimitinh siginh }; class capability dac_override; } #============= dovecot_auth_t ============== #!!!! This avc has a dontaudit rule in the current policy allow dovecot_auth_t chkpwd_t:process { noatsecure rlimitinh siginh }; allow dovecot_auth_t self:capability dac_override; #============= dovecot_t ============== #!!!! This avc has a dontaudit rule in the current policy allow dovecot_t dovecot_auth_t:process { noatsecure rlimitinh siginh }; #============= sendmail_t ============== #!!!! This avc has a dontaudit rule in the current policy allow sendmail_t dovecot_deliver_t:process { noatsecure rlimitinh siginh };
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
I keep my /etc files in a local git repo. With this update installed, see this: . M etc/selinux/config D etc/selinux/targeted/.policy.sha512 D etc/selinux/targeted/booleans.subs_dist D etc/selinux/targeted/contexts/customizable_types D etc/selinux/targeted/contexts/dbus_contexts D etc/selinux/targeted/contexts/default_contexts D etc/selinux/targeted/contexts/default_type D etc/selinux/targeted/contexts/failsafe_context D etc/selinux/targeted/contexts/files/file_contexts D etc/selinux/targeted/contexts/files/file_contexts.homedirs D etc/selinux/targeted/contexts/files/file_contexts.local D etc/selinux/targeted/contexts/files/file_contexts.subs D etc/selinux/targeted/contexts/files/file_contexts.subs_dist D etc/selinux/targeted/contexts/files/media D etc/selinux/targeted/contexts/initrc_context D etc/selinux/targeted/contexts/lxc_contexts D etc/selinux/targeted/contexts/openssh_contexts D etc/selinux/targeted/contexts/removable_context D etc/selinux/targeted/contexts/securetty_types D etc/selinux/targeted/contexts/sepgsql_contexts D etc/selinux/targeted/contexts/snapperd_contexts D etc/selinux/targeted/contexts/systemd_contexts D etc/selinux/targeted/contexts/userhelper_context D etc/selinux/targeted/contexts/users/guest_u D etc/selinux/targeted/contexts/users/root D etc/selinux/targeted/contexts/users/staff_u D etc/selinux/targeted/contexts/users/sysadm_u D etc/selinux/targeted/contexts/users/unconfined_u D etc/selinux/targeted/contexts/users/user_u D etc/selinux/targeted/contexts/users/xguest_u D etc/selinux/targeted/contexts/virtual_domain_context D etc/selinux/targeted/contexts/virtual_image_context D etc/selinux/targeted/contexts/x_contexts D etc/selinux/targeted/setrans.conf D etc/selinux/targeted/seusers D usr/bin/sepolgen-ifgen D usr/bin/sepolicy ?? etc/selinux/targeted/contexts/files/file_contexts.local.rpmsave Is this expected?
(In reply to Doug Maxey from comment #13) Disregard the above. See where I used a wrong invocation for the update.
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.