167043 – dovecot can't write mail spool files

Bug 167043 - dovecot can't write mail spool files

Summary: dovecot can't write mail spool files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-08-29 19:16 UTC by David Juran
Modified:	2007-11-30 22:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:	1.25.4-10.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-09-12 09:04:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David Juran 2005-08-29 19:16:11 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
After updating to selinux-policy-targeted-1.25.4-10, dovecot no longer was able to write mail spool files. This at least broke squirrelmail and resulted in syslog spewing out lots of lines like:

 Aug 29 18:56:06 emilia kernel: audit(1125334566.190:82): avc:  denied  { write } for  pid=26248 comm="imap" name="david" dev=dm-3 ino=32849 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:mail_spool_t tclass=file

Changing line 46 in /etc/selinux/targeted/src/policy/domains/program/dovecot.te back to 
rw_dir_create_file(dovecot_t, mail_spool_t)
instead of 
ra_dir_create_file(dovecot_t, mail_spool_t)
seems to remedy the problem

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.4-10

How reproducible:
Always

Steps to Reproduce:
1. update to selinux-policy-targeted-1.25.4-10
2. try listing your inbox using squrrelmail

  

Additional info:

Comment 1 Neil Bezuidenhout 2005-09-01 05:10:28 UTC

Setting "Disable SELinux protection for dovecot daemon" and re-starting dovecot
works as a temporary fix for the problem.

When opening Thunderbird while the error exists, the IMAP folders seems to be
re-set to zero size from its original sice (eg. Sent changed from 5MB to 0Mb),
which looks like the IMAP/mail folders in the user's directory is accessable by
the mail user agent, and that the problem lies with copying the mail from the
/var/spool/mail directory.

After disabling SELinux protection for dovecot, all the email returned to the
IMAP folders.

Comment 2 Ignacio Vazquez-Abrams 2005-09-03 04:52:32 UTC

Confirmed. Downgrading to selinux-policy-targeted-1.25.3-12 also allows dovecot
to work properly.

Comment 3 Carsten Clasohm 2005-09-06 08:04:21 UTC

I was able to reproduce this. The symptom on my computer was that Thunderbird
did not show any messages in the Inbox, although /var/spool/mail/my_account
contained a couple of messages. As no error messages are displayed in
Thunderbird itself, fixing this will be hard for most users - it took myself
some time until I looked in /var/log/messages and found this ticket.

Comment 4 David Juran 2005-09-12 09:04:56 UTC

Seems to be fixed in selinux-policy-targeted-1.25.4-10.1 (-:

Note You need to log in before you can comment on or make changes to this bug.