Bug 161998 - dovecot-auth not allowed to handle cert_t
dovecot-auth not allowed to handle cert_t
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-28 19:37 EDT by Bojan Smojver
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-15 07:57:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bojan Smojver 2005-06-28 19:37:42 EDT
Description of problem:
dovecot-auth process isn't allowed to handle cert_t files.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-17

How reproducible:
Always.

Steps to Reproduce:
1. Run dovecot over SSL.
  
Actual results:
Lots of unneeded denials.

Expected results:
The log should be silent.

Additional info:
--------------------------------------------------
Jun 29 09:23:13 beauty kernel: audit(1120000993.282:955): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.324:956): avc:  denied  { search
 } for  pid=25324 comm="unix_chkpwd" name=pki dev=dm-0 ino=481589 scontext=root:
system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.325:957): avc:  denied  { read }
 for  pid=25324 comm="unix_chkpwd" name=urandom dev=tmpfs ino=747 scontext=root:
system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass=chr_
file
Jun 29 09:23:13 beauty kernel: audit(1120000993.326:958): avc:  denied  { read }
 for  pid=25324 comm="unix_chkpwd" name=random dev=tmpfs ino=741 scontext=root:s
ystem_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=chr_fi
le
Jun 29 09:23:13 beauty kernel: audit(1120000993.340:959): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.344:960): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.511:961): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.645:962): avc:  denied  { search
 } for  pid=22692 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.677:963): avc:  denied  { read }
 for  pid=25326 comm="imap" name=cert.pem dev=dm-0 ino=481616 scontext=root:syst
em_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=lnk_file
--------------------------------------------------
Comment 1 Hann-Huei Chiou 2005-06-29 02:33:16 EDT
It seems that dovecot-auth uses dovecot_cert_t so the certificate can't be 
shared among sendmail, apache, etc. :(
Comment 2 Daniel Walsh 2005-07-03 11:38:50 EDT
So should I just change dovecot_cert_t to be the same as cert_t.  IE We want
these things shared?

Dan
Comment 3 Bojan Smojver 2005-07-05 05:49:16 EDT
I just tried 1.24-3 and it still has the same issue.

To answer your question, I think the problem is with the file
/etc/pki/tls/cert.pem (and directories in which it lives), which is not part of
dovecot, but openssl. This file is a bundle of X.509 certificates of public
certificate authorities. So, I don't think dovecot_cert_t should be the same as
cert_t, but rather dovecot should be allowed to read cert_t files and
directories, as this is their purpose anyway. Other daemons may not be allowed
to view dovecot specific certificates, which is also OK. So, dovecot_cert_t
should stay.
Comment 4 Bojan Smojver 2005-07-07 16:16:50 EDT
From 1.25.1-7:
------------------------------------------------------------
Jul  8 06:15:09 beauty kernel: audit(1120767309.400:3156): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.441:3157): avc:  denied  { searc
h } for  pid=12412 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=sy
stem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.442:3158): avc:  denied  { read 
} for  pid=12412 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=1421 scontext=s
ystem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tcl
ass=chr_file
Jul  8 06:15:09 beauty kernel: audit(1120767309.443:3159): avc:  denied  { read 
} for  pid=12412 comm="unix_chkpwd" name="random" dev=tmpfs ino=712 scontext=sys
tem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass
=chr_file
Jul  8 06:15:09 beauty unix_chkpwd[12412]: check pass; user unknown
Jul  8 06:15:09 beauty dovecot(pam_unix)[12411]: authentication failure; logname
= uid=0 euid=0 tty= ruser= rhost=  user=bojan
Jul  8 06:15:09 beauty kernel: audit(1120767309.454:3160): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.457:3161): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty dovecot-auth[12411]: nss_ldap: reconnecting to LDAP serve
r...
Jul  8 06:15:09 beauty kernel: audit(1120767309.684:3162): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty dovecot-auth[12411]: nss_ldap: reconnected to LDAP server
 after 1 attempt(s)
Jul  8 06:15:09 beauty kernel: audit(1120767309.919:3163): avc:  denied  { searc
h } for  pid=2228 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=sy
stem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
------------------------------------------------------------
Comment 5 Bojan Smojver 2005-07-11 19:43:08 EDT
Works just fine in selinux-policy-targeted-1.25.1-7. Many thanks!
Comment 6 Bojan Smojver 2005-07-13 06:34:16 EDT
I'm a liar:

--------------------------------------
Jul 13 20:32:00 beauty kernel: audit(1121250720.521:25): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.563:26): avc:  denied  { search 
} for  pid=3197 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=syste
m_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.564:27): avc:  denied  { read } 
for  pid=3197 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=774 scontext=syste
m_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass=
chr_file
Jul 13 20:32:00 beauty kernel: audit(1121250720.565:28): avc:  denied  { read } 
for  pid=3197 comm="unix_chkpwd" name="random" dev=tmpfs ino=768 scontext=system
_u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=ch
r_file
Jul 13 20:32:00 beauty unix_chkpwd[3197]: check pass; user unknown
Jul 13 20:32:00 beauty dovecot(pam_unix)[3196]: authentication failure; logname=
 uid=0 euid=0 tty= ruser= rhost=  user=bojan
Jul 13 20:32:00 beauty kernel: audit(1121250720.579:29): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.583:30): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty dovecot-auth[3196]: nss_ldap: reconnecting to LDAP server
...
Jul 13 20:32:00 beauty kernel: audit(1121250720.609:31): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
--------------------------------------

That's for selinux-policy-targeted-1.25.1-7.
Comment 7 Daniel Walsh 2005-07-13 06:56:25 EDT
Try out selinux-policy-targeted-1.25.1-9
Comment 8 Bojan Smojver 2005-07-13 21:37:29 EDT
Still seems like a no go:

-------------------------------
Jul 14 11:34:42 beauty dbus: avc:  received policyload notice (seqno=3) 
Jul 14 11:34:42 beauty dbus: avc:  0 AV entries and 0/512 buckets used, longest
chain length 0 

Jul 14 11:35:17 beauty kernel: audit(1121304917.760:635): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.803:636): avc:  denied  { search
} for  pid=20678 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.804:637): avc:  denied  { read }
for  pid=20678 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=774
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Jul 14 11:35:17 beauty kernel: audit(1121304917.805:638): avc:  denied  { read }
for  pid=20678 comm="unix_chkpwd" name="random" dev=tmpfs ino=768
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:random_device_t tclass=chr_file
Jul 14 11:35:17 beauty kernel: audit(1121304917.819:639): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.823:640): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.847:641): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.879:642): avc:  denied  { search
} for  pid=2241 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
-------------------------------

Notice how it's "dovecot-auth" that's failing. I explicitly loaded the policy
with load_policy, to make sure I've got the right one. rpm -q
selinux-policy-targeted shows:

[root@beauty ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.25.1-9
Comment 9 Bojan Smojver 2005-07-15 07:57:15 EDT
Looks like the latest policy (1.25.2-4) took care of this one too. Closing for now.

Note You need to log in before you can comment on or make changes to this bug.