1765897 – Dovecot not able to read filesystem quota

Bug 1765897 - Dovecot not able to read filesystem quota

Summary: Dovecot not able to read filesystem quota

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	31
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-27 05:15 UTC by Marek Greško
Modified:	2019-11-17 01:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.14.4-40.fc31.noarch
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-17 01:12:54 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marek Greško 2019-10-27 05:15:31 UTC

Description of problem:
Selinux is preventing dovecot from reading filesystem quota

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.3-46.fc30.noarch


How reproducible:


Steps to Reproduce:
1. enable quota plugin in dovecot:   quota = fs:User quota
2. start dovecot
3. access the maildir

Actual results:
AVC avc:  denied  { quotaget } for  pid=7538 comm="imap" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0

Expected results:
Dovecot is able to read filesystem quota.

Additional info:

Comment 1 Lukas Vrabec 2019-10-29 09:38:18 UTC

commit 2f6f911dab62b01aa1c417bc168b56d53510c8d3 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 29 10:28:45 2019 +0100

    Allow dovecot get filesystem quotas
    
    Allow processes labeled as dovecot_t domain to use quota plugin.
    
    Resolves: rhbz#1765897

Comment 2 Fedora Update System 2019-11-03 14:10:35 UTC

FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc

Comment 3 Fedora Update System 2019-11-04 02:09:59 UTC

selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc

Comment 4 Marek Greško 2019-11-05 22:18:57 UTC

Unfortunately, in the meantime I upgraded to Fedora 31. I am no longer able to test F30 packages. The problem is present in Fedora 31.

Comment 5 Lukas Vrabec 2019-11-06 08:44:05 UTC

Marek, 

What is output of:

# rpm -q selinux-policy 

THanks,
Lukas.

Comment 6 Marek Greško 2019-11-06 19:13:35 UTC

selinux-policy-3.14.4-39.fc31.noarch

Comment 7 Lukas Vrabec 2019-11-07 12:24:01 UTC

Hi Marek, 

# sesearch -A -s dovecot_t -t fs_t -c filesystem 
allow dovecot_t filesystem_type:filesystem { getattr quotaget };

# rpm -q selinux-policy 
selinux-policy-3.14.4-40.fc31.noarch

It's fixed in the latest selinux-policy rpm package. You can install form updates-testing before it will be moved to the updates repository. 

# dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-aec8f7ab50

Thanks,
Lukas.

Comment 8 Marek Greško 2019-11-07 16:54:49 UTC

Hi,

I confirm that selinux-policy-3.14.4-40.fc31.noarch fixes the problem.

Thanks

Marek

Comment 9 Fedora Update System 2019-11-17 01:12:54 UTC

selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.