1648698 – SELinux is preventing dovecot from 'getattr' accesses on the file /proc/sys/fs/suid_dumpable.

Bug 1648698 - SELinux is preventing dovecot from 'getattr' accesses on the file /proc/sys/fs/suid_dumpable.

Summary: SELinux is preventing dovecot from 'getattr' accesses on the file /proc/sys/f...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:088a1bf98c8a3c8a5057caef8ef...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-11 19:32 UTC by dan
Modified:	2019-01-17 02:16 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.14.2-46.fc29
Clone Of:	1630675
Environment:
Last Closed:	2019-01-17 02:16:32 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description dan 2018-11-11 19:32:43 UTC

+++ This bug was initially created as a clone of Bug #1630675 +++

Description of problem:
This har started to show up after my upgrade from F28 to F29, haven't changed any settings in dovecot
SELinux is preventing dovecot from 'getattr' accesses on the file /proc/sys/fs/suid_dumpable.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dovecot should be allowed getattr access on the suid_dumpable file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
# semodule -X 300 -i my-dovecot.pp

Additional Information:
Source Context                system_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:proc_security_t:s0
Target Objects                /proc/sys/fs/suid_dumpable [ file ]
Source                        dovecot
Source Path                   dovecot
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-34.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.5-300.fc29.x86_64 #1 SMP Fri
                              Aug 24 17:16:35 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-09-19 06:13:11 CEST
Last Seen                     2018-09-19 06:19:26 CEST
Local ID                      382e040d-0ad7-43b5-b13f-3d582163c0f8

Raw Audit Messages
type=AVC msg=audit(1537330766.95:1520): avc:  denied  { getattr } for  pid=12649 comm="dovecot" path="/proc/sys/fs/suid_dumpable" dev="proc" ino=11080399 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0


Hash: dovecot,dovecot_t,proc_security_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.14.2-34.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.5-300.fc29.x86_64
type:           libreport

--- Additional comment from Villy Kruse on 2018-10-18 15:16:55 EDT ---

Description of problem:
After upgrade from f28 to f29 this problem started occurring.

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.14-200.fc28.x86_64
type:           libreport

--- Additional comment from  on 2018-11-04 00:09:41 EDT ---

Description of problem:
This was noticed after upgrading to FC29.

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

--- Additional comment from Lukas Vrabec on 2018-11-04 07:28:10 EST ---

commit bb32a71dcac5c8f6e022151cc3e32b3b994fa136 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Sun Nov 4 13:27:51 2018 +0100

    Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)

--- Additional comment from Fedora Update System on 2018-11-05 03:19:44 EST ---

selinux-policy-3.14.2-42.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3

--- Additional comment from Villy Kruse on 2018-11-05 15:05:55 EST ---

After updating to selinux-policy-3.14.2-42.fc29.noarch  the situation is unchanged.  That is, the bug is not solved.

--- Additional comment from Fedora Update System on 2018-11-06 17:00:22 EST ---

selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3

--- Additional comment from  on 2018-11-07 11:31:21 EST ---

Notfixed by selinux-policy-3.14.2-42.fc29.

--- Additional comment from Fedora Update System on 2018-11-09 01:02:23 EST ---

selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Villy Kruse on 2018-11-09 01:15:07 EST ---

As the issue is not solved, can we get this re-opened?

--- Additional comment from  on 2018-11-11 14:28:53 EST ---

Description of problem:
Start Dovecot.

Version-Release number of selected component:
selinux-policy-3.14.2-42.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 1 dan 2018-11-11 19:33:48 UTC

Unable to reopen original but but still is not resolved.

Comment 2 Matthias Andree 2018-11-29 19:30:13 UTC

Description of problem:
launched the Dovecot service


Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.19.4-300.fc29.x86_64
type:           libreport

Comment 3 Lukas Vrabec 2018-12-12 16:48:31 UTC

commit 8af94d4f2e7857d5f4e2a25a8f39272ee38509e6 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Dec 12 16:58:40 2018 +0100

    Allow dovecot_t domain to read proc_security_t BZ(1648698)

Comment 4 Chris Roadfeldt 2018-12-29 03:47:32 UTC

Description of problem:
Starting dovecot I believe.

Version-Release number of selected component:
selinux-policy-3.14.2-44.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.19.10-300.fc29.x86_64
type:           libreport

Comment 5 Fedora Update System 2019-01-13 15:44:48 UTC

selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 6 Fedora Update System 2019-01-14 03:03:03 UTC

selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 7 Fedora Update System 2019-01-17 02:16:32 UTC

selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.