2165863 – Dovecot SELinux policy incorrect to incomplete for /var/spool/dovecot/

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2165863 - Dovecot SELinux policy incorrect to incomplete for /var/spool/dovecot/

Summary: Dovecot SELinux policy incorrect to incomplete for /var/spool/dovecot/

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2023-06-13
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nobody
QA Contact:	Amith
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-01-31 09:48 UTC by Colin.Simpson
Modified:	2023-11-07 11:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-38.1.15-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-07 08:52:17 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-147010	0	None	None	None	2023-01-31 09:52:32 UTC
Red Hat Product Errata	RHBA-2023:6617	0	None	None	None	2023-11-07 08:52:36 UTC

Description Colin.Simpson 2023-01-31 09:48:38 UTC

Description of problem:
In Dovecot I don't want to hold users email folder in homedirectories, so I use a directory that is specified in the Postfix SELinux policy /var/spool/dovecot/.

To be clear the config for this is:

mail_location = mbox:/var/spool/dovecot/%u/:INBOX=/var/mail/%u

This location doesn't exist by default, so unsure why it would be in the SELinux policy if not to centrally store users folder (or maybe I'm missing it's intended purpose completely).

But specifying this sort of works except I need to amend the policy with:

allow dovecot_t dovecot_spool_t:file map;

So either:
1/ I miss the point of this location /var/spool/dovecot
2/ The SELinux policy needs amending for this location
3/ Or this location shouldn't be in the SELinux policy at all.

I realise my config is probably unfashionable for dovecot, but there should be a way to achieve this with the SELinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-34.1.43-1.el9

How reproducible:
Everytime

Steps to Reproduce:
1.Set in dovecot
mail_location = mbox:/var/spool/dovecot/%u/:INBOX=/var/mail/%u

2.See the partial failures in audit.log when connecting on IMAP and attempt to
create new folders and copy emails into this folder i.e. treat it like a mail folder


Actual results:

Expected results:


Additional info:

Comment 1 Nikola Knazekova 2023-02-03 10:32:37 UTC

Hi Colin,

this is the only change in the config?

What version of Dovecot it is?

Can you reproduce the issue in permissive mode with full auditing enabled and attach AVC denials?

Do: 

# setenforce 0

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Thank you, 

Nikola

Comment 2 Colin.Simpson 2023-02-04 10:16:33 UTC

My dovecot is the latest shipped
dovecot-2.3.16-7.el9.x86_64

The only really relevant setup change for this scenario is in 10-mail.conf:

mail_location = mbox:/var/spool/dovecot/%u/:INBOX=/var/mail/%u

namespace inbox {
  # Namespace type: private, shared or public
  type = private

Other than this it's just imap and ssl.

Other setup:
mkdir /var/spool/dovecot/
restorecon -F /var/spool/dovecot/
chmod 1777 /var/spool/dovecot

And the mailbox permission change that dovecot wants:
chgrp csimpson /var/spool/mail/csimpson 

If you start dovecot now and connect via IMAP, create a new folder it all works. 

You seem to get an AVC denial when you try to move or copy an email from the mailbox into the new IMAP folder.

type=AVC msg=audit(1675504583.374:230): avc:  denied  { map } for  pid=5833 comm="imap" path="/var/spool/dovecot/csimpson/.imap/INBOX/dovecot.index.cache" dev="dm-0" ino=50556101 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_spool_t:s0 tclass=file permissive=1

cat /var/log/audit/audit.log | audit2allow 


#============= dovecot_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow dovecot_t dovecot_spool_t:file map;

Comment 3 Nikola Knazekova 2023-02-07 18:48:22 UTC

Thanks you

PR: https://github.com/fedora-selinux/selinux-policy/pull/1592

Comment 12 Zdenek Pytela 2023-06-01 08:58:12 UTC

As discussed today, the requested permission seem to be legitimate given the current status:

rhel93# sesearch -A -s dovecot_deliver_t -t dovecot_spool_t -c file
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow mailserver_delivery dovecot_spool_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };

rhel93# sesearch -A -s dovecot_deliver_t -t dovecot_spool_t -c dir
allow mailserver_delivery dovecot_spool_t:dir { add_name getattr ioctl lock open read remove_name search write };

Amith, can you add the permissions and test again in SELinux enforcing?

rhel93# cat local_dovecot.cil
(allow dovecot_deliver_t dovecot_spool_t (file (map)))
(allow dovecot_deliver_t dovecot_spool_t (dir (create)))
rhel93# semodule -i local_dovecot.cil

Comment 13 Amith 2023-06-01 11:09:39 UTC

(In reply to Zdenek Pytela from comment #12)
> As discussed today, the requested permission seem to be legitimate given the
> current status:
> 
> rhel93# sesearch -A -s dovecot_deliver_t -t dovecot_spool_t -c file
> allow domain file_type:file map; [ domain_can_mmap_files ]:True
> allow mailserver_delivery dovecot_spool_t:file { append create getattr ioctl
> link lock open read rename setattr unlink watch watch_reads write };
> 
> rhel93# sesearch -A -s dovecot_deliver_t -t dovecot_spool_t -c dir
> allow mailserver_delivery dovecot_spool_t:dir { add_name getattr ioctl lock
> open read remove_name search write };
> 
> Amith, can you add the permissions and test again in SELinux enforcing?
> 
> rhel93# cat local_dovecot.cil
> (allow dovecot_deliver_t dovecot_spool_t (file (map)))
> (allow dovecot_deliver_t dovecot_spool_t (dir (create)))
> rhel93# semodule -i local_dovecot.cil


I added the rules and got a clean GREEN run without any AVC. Here is the test OUTPUT:


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Dovecot SELinux policy incorrect for /var/spool/dovecot/ bz2165863
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:02:40 ] :: [   INFO   ] :: using '/var/tmp/beakerlib-21524003/backup' as backup destination
:: [ 07:02:40 ] :: [   INFO   ] :: using '/var/tmp/beakerlib-21524003/backup' as backup destination
:: [ 07:02:40 ] :: [   INFO   ] :: using '/var/tmp/beakerlib-21524003/backup' as backup destination
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'restorecon -Rv ~/Maildir' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'useradd -m test_user' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'echo RedHat | passwd --stdin test_user' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'sed -i '/home_mailbox/d' /etc/postfix/main.cf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'echo 'home_mailbox = Maildir/' >> /etc/postfix/main.cf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'sed -i '/mailbox_command/d' /etc/postfix/main.cf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'echo mailbox_command = /usr/libexec/dovecot/dovecot-lda -f \"\$SENDER\" -a \"\$RECIPIENT\"  >> /etc/postfix/main.cf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'sed -i "s/^.*postmaster_address.*$/postmaster_address = root/" /etc/dovecot/conf.d/15-lda.conf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'cat > ~/.fetchmailrc <<EOF
EOF' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'chmod 700 ~/.fetchmailrc' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'sed -i '/protocols/d' /etc/dovecot/dovecot.conf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'echo 'protocols = imap pop3' >> /etc/dovecot/dovecot.conf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'sed -i '/mail_location/d' /etc/dovecot/conf.d/10-mail.conf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'echo 'mail_location = mbox:/var/spool/dovecot/%u/:INBOX=/var/mail/%u' >> /etc/dovecot/conf.d/10-mail.conf' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'mkdir /var/spool/dovecot/' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'restorecon -F /var/spool/dovecot/' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'chmod 1777 /var/spool/dovecot' (Expected 0, got 0)
:: [ 07:02:40 ] :: [   PASS   ] :: Command 'chgrp test_user /var/spool/mail/test_user' (Expected 0, got 0)
:: [ 07:02:42 ] :: [   PASS   ] :: Command 'service postfix restart' (Expected 0, got 0)
:: [ 07:02:42 ] :: [   PASS   ] :: Command 'service dovecot restart' (Expected 0, got 0)
:: [ 07:02:42 ] :: [   PASS   ] :: Command 'dovecot -n' (Expected 0, got 0)
:: [ 07:02:42 ] :: [   PASS   ] :: Command 'sendmail test_user@localhost <<EOF
Check the test mail
EOF' (Expected 0, got 0)
:: [ 07:02:44 ] :: [   PASS   ] :: Command 'cat > ~/.fetchmailrc <<EOF
poll localhost protocol imap:
     username "test_user" password "RedHat";
EOF' (Expected 0, got 0)
:: [ 07:02:45 ] :: [   PASS   ] :: Command 'fetchmail --nosslcertck' (Expected 0, got 0)
:: [ 07:02:45 ] :: [   PASS   ] :: Command 'ausearch -m AVC -m USER_AVC --start 07:02:40' (Expected 1, got 1)
:: [ 07:02:45 ] :: [   PASS   ] :: Result of matchpathcon /var/spool/dovecot/ should contain dovecot_spool_t (Assert: expected 0, got 0)
:: [ 07:02:46 ] :: [   PASS   ] :: Result of matchpathcon /var/spool/dovecot/test_user should contain dovecot_spool_t (Assert: expected 0, got 0)
:: [ 07:02:46 ] :: [   INFO   ] :: rlSESearchRule: checking rule 'allow dovecot_t dovecot_spool_t : file { map }'
:: [ 07:02:48 ] :: [   PASS   ] ::   check permission 'map' is present (Assert: '0' should equal '0')
:: [ 07:02:48 ] :: [   INFO   ] :: rlSESearchRule: checking rule 'allow dovecot_deliver_t dovecot_spool_t : file { map }'
:: [ 07:02:50 ] :: [   PASS   ] ::   check permission 'map' is present (Assert: '0' should equal '0')
:: [ 07:02:50 ] :: [   INFO   ] :: rlSESearchRule: checking rule 'allow dovecot_deliver_t dovecot_spool_t : dir { create }'
:: [ 07:02:52 ] :: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [ 07:02:53 ] :: [   PASS   ] :: Command 'userdel -rf test_user' (Expected 0, got 0)
:: [ 07:02:54 ] :: [   PASS   ] :: Command 'service dovecot stop' (Expected 0, got 0)
:: [ 07:02:54 ] :: [   PASS   ] :: Command 'rm -rf /var/spool/dovecot' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 14s
::   Assertions: 33 good, 0 bad
::   RESULT: PASS (Dovecot SELinux policy incorrect for /var/spool/dovecot/ bz2165863)

Comment 16 Nikola Knazekova 2023-06-14 14:03:03 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/1739

Comment 17 Zdenek Pytela 2023-06-14 15:20:33 UTC

Commit to backport:
7a77beac6 (HEAD -> rawhide, upstream/rawhide) Allow dovecot_deliver_t create/map dovecot_spool_t dir/file

Comment 27 errata-xmlrpc 2023-11-07 08:52:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617

Note You need to log in before you can comment on or make changes to this bug.