1881884 – SELinux policy denies dovecot's bind to TCP submission ports 465/587

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1881884 - SELinux policy denies dovecot's bind to TCP submission ports 465/587

Summary: SELinux policy denies dovecot's bind to TCP submission ports 465/587

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	8.4
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-23 10:08 UTC by Graham Leggett
Modified:	2021-05-18 14:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 14:57:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Graham Leggett 2020-09-23 10:08:10 UTC

Description of problem:

If dovecot is configured to enable the "submission" service with "protocols = $protocols submission" and ports 465 and 587, SELinux refuses to allow dovecot to start.

Version-Release number of selected component (if applicable):


How reproducible:

Always.

Steps to Reproduce:
1. Configure dovecot to enable the submission service:

protocols = $protocols submission

2. Optional: add the legacy 465 port as follows:

service submission-login {
  inet_listener submission {
    port = 587
  }
  inet_listener submission_legacy {
    port = 465
  }
}

3.

Actual results:

Dovecot refuses to start:

Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Error: bind(0.0.0.0, 587) failed: Permission denied
Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Error: service(submission-login): listen(*, 587) failed: Permission denied
Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Error: bind(::, 587) failed: Permission denied
Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Error: service(submission-login): listen(::, 587) failed: Permission denied
Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Error: bind(0.0.0.0, 465) failed: Permission denied
Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Error: service(submission-login): listen(*, 465) failed: Permission denied
Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Error: bind(::, 465) failed: Permission denied
Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Error: service(submission-login): listen(::, 465) failed: Permission denied
Sep 23 11:57:13 gatekeeper dovecot[44137]: master: Fatal: Failed to start listeners

Expected results:

Dovecot starts as expected.

Additional info:

Comment 1 Graham Leggett 2020-09-27 12:35:44 UTC

Quick ping on this one - we have to temporarily disabled selinux to work around this, any news on when we can turn it back on?

Comment 2 Zdenek Pytela 2020-09-29 09:39:33 UTC

Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution. 

This bz will be evaluated for inclusion into the next minor product update. These workarounds are available:

- set the domain to permissive:

  # semanage permissive -a dovecot_t

- create a local SELinux policy module

Comment 4 Milos Malik 2020-10-02 07:17:09 UTC

# rpm -qa selinux\* dovecot\* | sort
dovecot-2.3.8-4.el8.x86_64
selinux-policy-3.14.3-54.el8.noarch
selinux-policy-devel-3.14.3-54.el8.noarch
selinux-policy-doc-3.14.3-54.el8.noarch
selinux-policy-minimum-3.14.3-54.el8.noarch
selinux-policy-mls-3.14.3-54.el8.noarch
selinux-policy-sandbox-3.14.3-54.el8.noarch
selinux-policy-targeted-3.14.3-54.el8.noarch
# grep ^protocols /etc/dovecot/dovecot.conf 
protocols = imap pop3 lmtp submission
#

Following SELinux denial appeared after starting the dovecot service:
----
type=PROCTITLE msg=audit(10/02/2020 09:13:43.841:982) : proctitle=/usr/sbin/dovecot -F 
type=SOCKADDR msg=audit(10/02/2020 09:13:43.841:982) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=587 } 
type=SYSCALL msg=audit(10/02/2020 09:13:43.841:982) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x12 a1=0x7fff4c21d9c0 a2=0x10 a3=0x7fff4c21d9b8 items=0 ppid=1 pid=67058 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) 
type=AVC msg=audit(10/02/2020 09:13:43.841:982) : avc:  denied  { name_bind } for  pid=67058 comm=dovecot src=587 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket permissive=0 
----

Comment 5 Milos Malik 2020-10-02 07:19:26 UTC

The only SELinux denial which appeared in permissive mode is:
----
type=PROCTITLE msg=audit(10/02/2020 09:17:33.968:1003) : proctitle=/usr/sbin/dovecot -F 
type=SOCKADDR msg=audit(10/02/2020 09:17:33.968:1003) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=587 } 
type=SYSCALL msg=audit(10/02/2020 09:17:33.968:1003) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x13 a1=0x7ffc0a6b99a0 a2=0x10 a3=0x7ffc0a6b9998 items=0 ppid=1 pid=68509 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) 
type=AVC msg=audit(10/02/2020 09:17:33.968:1003) : avc:  denied  { name_bind } for  pid=68509 comm=dovecot src=587 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket permissive=1 
----

Comment 8 Graham Leggett 2020-10-02 10:33:19 UTC

Neither the submission port (port 587) nor the submissions port (port 465, SSL) work when dovecot is asked to be the submissions server.

If you don't configure dovecot to listen on the secure submission port (465), dovecot won't try to bind.

Comment 9 Milos Malik 2020-10-02 11:39:19 UTC

From SELinux policy point-of-view, both ports have the same SELinux label:

# seinfo --portcon 465 | grep tcp
   portcon tcp 1-511 system_u:object_r:reserved_port_t:s0
   portcon tcp 465 system_u:object_r:smtp_port_t:s0
# seinfo --portcon 587 | grep tcp
   portcon tcp 512-1023 system_u:object_r:hi_reserved_port_t:s0
   portcon tcp 587 system_u:object_r:smtp_port_t:s0
#

Which means that binding to both ports can be allowed using 1 rule:

allow dovecot_t smtp_port_t : tcp_socket { name_bind };

Comment 10 Milos Malik 2020-10-02 12:00:59 UTC

# grep -A 7 submission-login /etc/dovecot/conf.d/10-master.conf 
service submission-login {
  inet_listener submission {
    port = 587
  }
  inet_listener submission_legacy {
    port = 465
  }
}
#

Here they are:
----
type=PROCTITLE msg=audit(10/02/2020 07:57:20.739:318) : proctitle=/usr/sbin/dovecot -F 
type=SYSCALL msg=audit(10/02/2020 07:57:20.739:318) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x12 a1=0x7ffc78bfcf40 a2=0x10 a3=0x7ffc78bfcf38 items=0 ppid=1 pid=6671 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) 
type=AVC msg=audit(10/02/2020 07:57:20.739:318) : avc:  denied  { name_bind } for  pid=6671 comm=dovecot src=587 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket permissive=0 
----
type=PROCTITLE msg=audit(10/02/2020 07:57:20.740:319) : proctitle=/usr/sbin/dovecot -F 
type=SYSCALL msg=audit(10/02/2020 07:57:20.740:319) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x12 a1=0x7ffc78bfcf40 a2=0x1c a3=0x7ffc78bfcf38 items=0 ppid=1 pid=6671 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) 
type=AVC msg=audit(10/02/2020 07:57:20.740:319) : avc:  denied  { name_bind } for  pid=6671 comm=dovecot src=587 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket permissive=0 
----
type=PROCTITLE msg=audit(10/02/2020 07:57:20.740:320) : proctitle=/usr/sbin/dovecot -F 
type=SYSCALL msg=audit(10/02/2020 07:57:20.740:320) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x12 a1=0x7ffc78bfcf40 a2=0x10 a3=0x7ffc78bfcf38 items=0 ppid=1 pid=6671 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) 
type=AVC msg=audit(10/02/2020 07:57:20.740:320) : avc:  denied  { name_bind } for  pid=6671 comm=dovecot src=465 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket permissive=0 
----
type=PROCTITLE msg=audit(10/02/2020 07:57:20.740:321) : proctitle=/usr/sbin/dovecot -F 
type=SYSCALL msg=audit(10/02/2020 07:57:20.740:321) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x12 a1=0x7ffc78bfcf40 a2=0x1c a3=0x7ffc78bfcf38 items=0 ppid=1 pid=6671 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) 
type=AVC msg=audit(10/02/2020 07:57:20.740:321) : avc:  denied  { name_bind } for  pid=6671 comm=dovecot src=465 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket permissive=0 
----

Comment 11 Zdenek Pytela 2020-11-10 17:14:18 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/362

Comment 20 errata-xmlrpc 2021-05-18 14:57:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639

Note You need to log in before you can comment on or make changes to this bug.