Description of problem: dovecot-auth process isn't allowed to handle cert_t files. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.18-17 How reproducible: Always. Steps to Reproduce: 1. Run dovecot over SSL. Actual results: Lots of unneeded denials. Expected results: The log should be silent. Additional info: -------------------------------------------------- Jun 29 09:23:13 beauty kernel: audit(1120000993.282:955): avc: denied { search } for pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root :system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jun 29 09:23:13 beauty kernel: audit(1120000993.324:956): avc: denied { search } for pid=25324 comm="unix_chkpwd" name=pki dev=dm-0 ino=481589 scontext=root: system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir Jun 29 09:23:13 beauty kernel: audit(1120000993.325:957): avc: denied { read } for pid=25324 comm="unix_chkpwd" name=urandom dev=tmpfs ino=747 scontext=root: system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass=chr_ file Jun 29 09:23:13 beauty kernel: audit(1120000993.326:958): avc: denied { read } for pid=25324 comm="unix_chkpwd" name=random dev=tmpfs ino=741 scontext=root:s ystem_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=chr_fi le Jun 29 09:23:13 beauty kernel: audit(1120000993.340:959): avc: denied { search } for pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root :system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jun 29 09:23:13 beauty kernel: audit(1120000993.344:960): avc: denied { search } for pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root :system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jun 29 09:23:13 beauty kernel: audit(1120000993.511:961): avc: denied { search } for pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root :system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jun 29 09:23:13 beauty kernel: audit(1120000993.645:962): avc: denied { search } for pid=22692 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root :system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jun 29 09:23:13 beauty kernel: audit(1120000993.677:963): avc: denied { read } for pid=25326 comm="imap" name=cert.pem dev=dm-0 ino=481616 scontext=root:syst em_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=lnk_file --------------------------------------------------
It seems that dovecot-auth uses dovecot_cert_t so the certificate can't be shared among sendmail, apache, etc. :(
So should I just change dovecot_cert_t to be the same as cert_t. IE We want these things shared? Dan
I just tried 1.24-3 and it still has the same issue. To answer your question, I think the problem is with the file /etc/pki/tls/cert.pem (and directories in which it lives), which is not part of dovecot, but openssl. This file is a bundle of X.509 certificates of public certificate authorities. So, I don't think dovecot_cert_t should be the same as cert_t, but rather dovecot should be allowed to read cert_t files and directories, as this is their purpose anyway. Other daemons may not be allowed to view dovecot specific certificates, which is also OK. So, dovecot_cert_t should stay.
From 1.25.1-7: ------------------------------------------------------------ Jul 8 06:15:09 beauty kernel: audit(1120767309.400:3156): avc: denied { searc h } for pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 8 06:15:09 beauty kernel: audit(1120767309.441:3157): avc: denied { searc h } for pid=12412 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=sy stem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir Jul 8 06:15:09 beauty kernel: audit(1120767309.442:3158): avc: denied { read } for pid=12412 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=1421 scontext=s ystem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tcl ass=chr_file Jul 8 06:15:09 beauty kernel: audit(1120767309.443:3159): avc: denied { read } for pid=12412 comm="unix_chkpwd" name="random" dev=tmpfs ino=712 scontext=sys tem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass =chr_file Jul 8 06:15:09 beauty unix_chkpwd[12412]: check pass; user unknown Jul 8 06:15:09 beauty dovecot(pam_unix)[12411]: authentication failure; logname = uid=0 euid=0 tty= ruser= rhost= user=bojan Jul 8 06:15:09 beauty kernel: audit(1120767309.454:3160): avc: denied { searc h } for pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 8 06:15:09 beauty kernel: audit(1120767309.457:3161): avc: denied { searc h } for pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 8 06:15:09 beauty dovecot-auth[12411]: nss_ldap: reconnecting to LDAP serve r... Jul 8 06:15:09 beauty kernel: audit(1120767309.684:3162): avc: denied { searc h } for pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 8 06:15:09 beauty dovecot-auth[12411]: nss_ldap: reconnected to LDAP server after 1 attempt(s) Jul 8 06:15:09 beauty kernel: audit(1120767309.919:3163): avc: denied { searc h } for pid=2228 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=sy stem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir ------------------------------------------------------------
Works just fine in selinux-policy-targeted-1.25.1-7. Many thanks!
I'm a liar: -------------------------------------- Jul 13 20:32:00 beauty kernel: audit(1121250720.521:25): avc: denied { search } for pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 13 20:32:00 beauty kernel: audit(1121250720.563:26): avc: denied { search } for pid=3197 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=syste m_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir Jul 13 20:32:00 beauty kernel: audit(1121250720.564:27): avc: denied { read } for pid=3197 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=774 scontext=syste m_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass= chr_file Jul 13 20:32:00 beauty kernel: audit(1121250720.565:28): avc: denied { read } for pid=3197 comm="unix_chkpwd" name="random" dev=tmpfs ino=768 scontext=system _u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=ch r_file Jul 13 20:32:00 beauty unix_chkpwd[3197]: check pass; user unknown Jul 13 20:32:00 beauty dovecot(pam_unix)[3196]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=bojan Jul 13 20:32:00 beauty kernel: audit(1121250720.579:29): avc: denied { search } for pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 13 20:32:00 beauty kernel: audit(1121250720.583:30): avc: denied { search } for pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 13 20:32:00 beauty dovecot-auth[3196]: nss_ldap: reconnecting to LDAP server ... Jul 13 20:32:00 beauty kernel: audit(1121250720.609:31): avc: denied { search } for pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir -------------------------------------- That's for selinux-policy-targeted-1.25.1-7.
Try out selinux-policy-targeted-1.25.1-9
Still seems like a no go: ------------------------------- Jul 14 11:34:42 beauty dbus: avc: received policyload notice (seqno=3) Jul 14 11:34:42 beauty dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0 Jul 14 11:35:17 beauty kernel: audit(1121304917.760:635): avc: denied { search } for pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 14 11:35:17 beauty kernel: audit(1121304917.803:636): avc: denied { search } for pid=20678 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=system_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir Jul 14 11:35:17 beauty kernel: audit(1121304917.804:637): avc: denied { read } for pid=20678 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=774 scontext=system_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Jul 14 11:35:17 beauty kernel: audit(1121304917.805:638): avc: denied { read } for pid=20678 comm="unix_chkpwd" name="random" dev=tmpfs ino=768 scontext=system_u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=chr_file Jul 14 11:35:17 beauty kernel: audit(1121304917.819:639): avc: denied { search } for pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 14 11:35:17 beauty kernel: audit(1121304917.823:640): avc: denied { search } for pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 14 11:35:17 beauty kernel: audit(1121304917.847:641): avc: denied { search } for pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir Jul 14 11:35:17 beauty kernel: audit(1121304917.879:642): avc: denied { search } for pid=2241 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir ------------------------------- Notice how it's "dovecot-auth" that's failing. I explicitly loaded the policy with load_policy, to make sure I've got the right one. rpm -q selinux-policy-targeted shows: [root@beauty ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-1.25.1-9
Looks like the latest policy (1.25.2-4) took care of this one too. Closing for now.