Bug 249119 - dovecot pop3s triggers SELinux
dovecot pop3s triggers SELinux
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: dovecot (Show other bugs)
5.0
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Janousek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-20 19:45 EDT by Ronald Cole
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: selinux-policy-2.4.6-52.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-04 11:17:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ronald Cole 2007-07-20 19:45:58 EDT
Description of problem:
I configured dovecot to only do pop3s as indicated in the RHEL5 documentation. 
Connecting to the server results in five separate entries in
/var/log/audit/audit.log with SELinux in Permissive mode.

Version-Release number of selected component (if applicable):
dovecot-1.0-1.2.rc15.el5

How reproducible:
Everytime!

Steps to Reproduce:
1.  Make the following change to /etc/dovecot.conf:
--- dovecot.conf~       2007-03-14 06:07:19.000000000 -0700
+++ dovecot.conf        2007-07-11 19:55:35.000000000 -0700
@@ -15,6 +15,7 @@
 # Protocols we want to be serving: imap imaps pop3 pop3s
 # If you only want to use dovecot-auth, you can set this to "none".
 #protocols = imap imaps pop3 pop3s
+protocols = pop3s

 # IP or host address where to listen in for connections. It's not currently
 # possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
@@ -202,6 +203,8 @@
 # http://wiki.dovecot.org/MailLocation
 #
 #mail_location =
+#mail_location = mbox:/var/empty:INBOX=/var/mail/%u:INDEX=MEMORY
+mail_location = mbox:/dev/null/:INBOX=/var/mail/%u:INDEX=MEMORY

 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections:

2. start dovecot
3. access via pop3s
  
Actual results:
The following entries in /var/log/audit/audit.log, for each connection:
type=AVC msg=audit(1184971654.231:29872): avc:  denied  { create } for 
pid=12010 comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.231:29872): arch=40000003 syscall=102
success=yes exit=4 a0=1 a1=bfb48ef4 a2=49db1ff4 a3=bfb49171 items=0 ppid=11333
pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100
tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1184971654.232:29873): avc:  denied  { bind } for  pid=12010
comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.232:29873): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bfb48ef4 a2=49db1ff4 a3=4 items=0 ppid=11333
pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100
tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1184971654.232:29874): avc:  denied  { getattr } for 
pid=12010 comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.232:29874): arch=40000003 syscall=102
success=yes exit=0 a0=6 a1=bfb48ef4 a2=49db1ff4 a3=4 items=0 ppid=11333
pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100
tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1184971654.232:29875): avc:  denied  { write } for  pid=12010
comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1184971654.232:29875): avc:  denied  { nlmsg_read } for 
pid=12010 comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.232:29875): arch=40000003 syscall=102
success=yes exit=20 a0=b a1=bfb47e34 a2=49db1ff4 a3=ffffffcc items=0 ppid=11333
pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100
tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1184971654.232:29876): avc:  denied  { read } for  pid=12010
comm="pop3" scontext=root:system_r:dovecot_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1184971654.232:29876): arch=40000003 syscall=102
success=yes exit=128 a0=11 a1=bfb47e34 a2=49db1ff4 a3=ffffffcc items=0
ppid=11333 pid=12010 auid=0 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100
sgid=100 fsgid=100 tty=(none) comm="pop3" exe="/usr/libexec/dovecot/pop3"
subj=root:system_r:dovecot_t:s0 key=(null)


Expected results:
pop3s access to dovecot to not cause problems with SELinux.

Additional info:
Comment 1 Tomas Janousek 2007-07-24 09:42:39 EDT
This was fixed in selinux-policy-2.4.6-52.el5 and will be fixed in the version
which will come with the RHEL 5.1 update.
Comment 2 Ronald Cole 2007-07-26 16:44:11 EDT
Where do I find selinux-policy-2.4.6-52.el5?  I'd like to test that it fixes my
problem BEFORE the 5.1 update.
Comment 3 Tomas Janousek 2007-07-27 05:59:49 EDT
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 4 Ronald Cole 2007-07-28 22:40:21 EDT
Well, I used the -76 flavors in that directory and, indeed, it fixed the problem.
Comment 5 Tomas Janousek 2007-08-04 11:17:59 EDT
Ok, closing. Thanks for your feedback.

Note You need to log in before you can comment on or make changes to this bug.