161998 – dovecot-auth not allowed to handle cert_t

Bug 161998 - dovecot-auth not allowed to handle cert_t

Summary: dovecot-auth not allowed to handle cert_t

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-06-28 23:37 UTC by Bojan Smojver
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-15 11:57:15 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bojan Smojver 2005-06-28 23:37:42 UTC

Description of problem:
dovecot-auth process isn't allowed to handle cert_t files.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-17

How reproducible:
Always.

Steps to Reproduce:
1. Run dovecot over SSL.
  
Actual results:
Lots of unneeded denials.

Expected results:
The log should be silent.

Additional info:
--------------------------------------------------
Jun 29 09:23:13 beauty kernel: audit(1120000993.282:955): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.324:956): avc:  denied  { search
 } for  pid=25324 comm="unix_chkpwd" name=pki dev=dm-0 ino=481589 scontext=root:
system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.325:957): avc:  denied  { read }
 for  pid=25324 comm="unix_chkpwd" name=urandom dev=tmpfs ino=747 scontext=root:
system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass=chr_
file
Jun 29 09:23:13 beauty kernel: audit(1120000993.326:958): avc:  denied  { read }
 for  pid=25324 comm="unix_chkpwd" name=random dev=tmpfs ino=741 scontext=root:s
ystem_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=chr_fi
le
Jun 29 09:23:13 beauty kernel: audit(1120000993.340:959): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.344:960): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.511:961): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.645:962): avc:  denied  { search
 } for  pid=22692 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.677:963): avc:  denied  { read }
 for  pid=25326 comm="imap" name=cert.pem dev=dm-0 ino=481616 scontext=root:syst
em_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=lnk_file
--------------------------------------------------

Comment 1 Hann-Huei Chiou 2005-06-29 06:33:16 UTC

It seems that dovecot-auth uses dovecot_cert_t so the certificate can't be 
shared among sendmail, apache, etc. :(

Comment 2 Daniel Walsh 2005-07-03 15:38:50 UTC

So should I just change dovecot_cert_t to be the same as cert_t.  IE We want
these things shared?

Dan

Comment 3 Bojan Smojver 2005-07-05 09:49:16 UTC

I just tried 1.24-3 and it still has the same issue.

To answer your question, I think the problem is with the file
/etc/pki/tls/cert.pem (and directories in which it lives), which is not part of
dovecot, but openssl. This file is a bundle of X.509 certificates of public
certificate authorities. So, I don't think dovecot_cert_t should be the same as
cert_t, but rather dovecot should be allowed to read cert_t files and
directories, as this is their purpose anyway. Other daemons may not be allowed
to view dovecot specific certificates, which is also OK. So, dovecot_cert_t
should stay.

Comment 4 Bojan Smojver 2005-07-07 20:16:50 UTC

From 1.25.1-7:
------------------------------------------------------------
Jul  8 06:15:09 beauty kernel: audit(1120767309.400:3156): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.441:3157): avc:  denied  { searc
h } for  pid=12412 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=sy
stem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.442:3158): avc:  denied  { read 
} for  pid=12412 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=1421 scontext=s
ystem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tcl
ass=chr_file
Jul  8 06:15:09 beauty kernel: audit(1120767309.443:3159): avc:  denied  { read 
} for  pid=12412 comm="unix_chkpwd" name="random" dev=tmpfs ino=712 scontext=sys
tem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass
=chr_file
Jul  8 06:15:09 beauty unix_chkpwd[12412]: check pass; user unknown
Jul  8 06:15:09 beauty dovecot(pam_unix)[12411]: authentication failure; logname
= uid=0 euid=0 tty= ruser= rhost=  user=bojan
Jul  8 06:15:09 beauty kernel: audit(1120767309.454:3160): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.457:3161): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty dovecot-auth[12411]: nss_ldap: reconnecting to LDAP serve
r...
Jul  8 06:15:09 beauty kernel: audit(1120767309.684:3162): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty dovecot-auth[12411]: nss_ldap: reconnected to LDAP server
 after 1 attempt(s)
Jul  8 06:15:09 beauty kernel: audit(1120767309.919:3163): avc:  denied  { searc
h } for  pid=2228 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=sy
stem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
------------------------------------------------------------

Comment 5 Bojan Smojver 2005-07-11 23:43:08 UTC

Works just fine in selinux-policy-targeted-1.25.1-7. Many thanks!

Comment 6 Bojan Smojver 2005-07-13 10:34:16 UTC

I'm a liar:

--------------------------------------
Jul 13 20:32:00 beauty kernel: audit(1121250720.521:25): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.563:26): avc:  denied  { search 
} for  pid=3197 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=syste
m_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.564:27): avc:  denied  { read } 
for  pid=3197 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=774 scontext=syste
m_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass=
chr_file
Jul 13 20:32:00 beauty kernel: audit(1121250720.565:28): avc:  denied  { read } 
for  pid=3197 comm="unix_chkpwd" name="random" dev=tmpfs ino=768 scontext=system
_u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=ch
r_file
Jul 13 20:32:00 beauty unix_chkpwd[3197]: check pass; user unknown
Jul 13 20:32:00 beauty dovecot(pam_unix)[3196]: authentication failure; logname=
 uid=0 euid=0 tty= ruser= rhost=  user=bojan
Jul 13 20:32:00 beauty kernel: audit(1121250720.579:29): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.583:30): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty dovecot-auth[3196]: nss_ldap: reconnecting to LDAP server
...
Jul 13 20:32:00 beauty kernel: audit(1121250720.609:31): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
--------------------------------------

That's for selinux-policy-targeted-1.25.1-7.

Comment 7 Daniel Walsh 2005-07-13 10:56:25 UTC

Try out selinux-policy-targeted-1.25.1-9

Comment 8 Bojan Smojver 2005-07-14 01:37:29 UTC

Still seems like a no go:

-------------------------------
Jul 14 11:34:42 beauty dbus: avc:  received policyload notice (seqno=3) 
Jul 14 11:34:42 beauty dbus: avc:  0 AV entries and 0/512 buckets used, longest
chain length 0 

Jul 14 11:35:17 beauty kernel: audit(1121304917.760:635): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.803:636): avc:  denied  { search
} for  pid=20678 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.804:637): avc:  denied  { read }
for  pid=20678 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=774
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Jul 14 11:35:17 beauty kernel: audit(1121304917.805:638): avc:  denied  { read }
for  pid=20678 comm="unix_chkpwd" name="random" dev=tmpfs ino=768
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:random_device_t tclass=chr_file
Jul 14 11:35:17 beauty kernel: audit(1121304917.819:639): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.823:640): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.847:641): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.879:642): avc:  denied  { search
} for  pid=2241 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
-------------------------------

Notice how it's "dovecot-auth" that's failing. I explicitly loaded the policy
with load_policy, to make sure I've got the right one. rpm -q
selinux-policy-targeted shows:

[root@beauty ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.25.1-9

Comment 9 Bojan Smojver 2005-07-15 11:57:15 UTC

Looks like the latest policy (1.25.2-4) took care of this one too. Closing for now.

Note You need to log in before you can comment on or make changes to this bug.