Description of problem: Using dovecot locally, pretty much in the default configuration. It works fine in enforcing mode, but some SE warnings pop up. SELinux is preventing auth from 'getattr' accesses on the filesystem /proc. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that auth should be allowed getattr access on the proc filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'auth' --raw | audit2allow -M my-auth # semodule -X 300 -i my-auth.pp Additional Information: Source Context system_u:system_r:dovecot_auth_t:s0 Target Context system_u:object_r:proc_t:s0 Target Objects /proc [ filesystem ] Source auth Source Path auth Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.14-3.fc33.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.6-28.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-28.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.8.6-301.fc33.x86_64 #1 SMP Fri Sep 4 04:57:36 UTC 2020 x86_64 x86_64 Alert Count 60 First Seen 2020-09-26 20:57:35 CEST Last Seen 2020-10-02 17:28:56 CEST Local ID 12b18d8d-bd58-4170-af27-9773e9d48640 Raw Audit Messages type=AVC msg=audit(1601652536.598:6989): avc: denied { getattr } for pid=326637 comm="auth" name="/" dev="proc" ino=1 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 Hash: auth,dovecot_auth_t,proc_t,filesystem,getattr Version-Release number of selected component: selinux-policy-targeted-3.14.6-28.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.8.6-301.fc33.x86_64 type: libreport
Mads, This is a result of a change in pam and is already allowed for all domains in the login_pgm attribute which is not the case of dovecot/auth.
Similar problem has been detected: This always happens when dovecot needs to check the login password of a user. One of the pam modules is checking if /proc is a file system, in which case it can know which files need to be closed. commit 1b087edc7f05237bf5eccc405704cd82b848e761 Author: Christophe Besson <cbesson> Date: Wed Aug 7 14:25:51 2019 +0200 libpam/pam_modutil_sanitize.c: optimize the way to close fds hashmarkername: setroubleshoot kernel: 5.8.15-301.fc33.x86_64 package: selinux-policy-targeted-3.14.6-28.fc33.noarch reason: SELinux is preventing auth from 'getattr' accesses on the filesystem /proc. type: libreport
Will the bug be fixed any time soon? Clients cannot connect to the mail server. Have not found a suitable workaround. Need a temporary fix or resolution before I can upgrade to Fedora 33.
Is this a fault in selinux or should dovecot be blamed? Hints as to a workaround?
The new cryptographic settings in Fedora 33 prevented Microsoft Outlook clients from connecting to my mail server. Office 365 clients apparently still use weak algorithms. Interestingly, Fedora 33's version of Evolution also seems to be affected. I confirmed that compatibility was restored by switching my system to Fedora 32 policy level. Sadly, the SELinux warning persists. It seems to pop up immediately after a client checks for new mail.
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/512
Backporting: https://github.com/fedora-selinux/selinux-policy-contrib/pull/386
Similar problem has been detected: Uncertain. hashmarkername: setroubleshoot kernel: 5.9.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-33.fc33.noarch reason: SELinux is preventing auth from 'getattr' accesses on the filesystem /proc. type: libreport
FEDORA-2021-6030ff881c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-6030ff881c
FEDORA-2021-6030ff881c has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-6030ff881c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-6030ff881c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-6030ff881c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.