368061 – dovecot-1.0.6-0_62.fc7 start fails in selinux targeted enforcing mode

Bug 368061 - dovecot-1.0.6-0_62.fc7 start fails in selinux targeted enforcing mode

Summary: dovecot-1.0.6-0_62.fc7 start fails in selinux targeted enforcing mode

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	7
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-06 10:42 UTC by vikram goyal
Modified:	2008-01-30 19:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-30 19:06:07 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description vikram goyal 2007-11-06 10:42:54 UTC

Description of problem:
Starting dovecot fails as it cannot create dovecot.log in /var/log/

Version-Release number of selected component (if applicable):
dovecot-1.0.6-0_62.fc7

How reproducible:
Unhash log_path: /var/log/dovecot.log in /etc/dovecot.conf and start dovecot service

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
[root@holycow ~]# dovecot -n
# 1.0.6: /etc/dovecot.conf
log_path: /var/log/dovecot.log
protocols: pop3s
ssl_cert_file: /etc/pki/tls/certs/dovecot.pem
ssl_key_file: /etc/pki/tls/certs/dovecot.pem
disable_plaintext_auth: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/libexec/dovecot/pop3-login
mail_executable: /usr/libexec/dovecot/pop3
mail_plugin_dir: /usr/lib/dovecot/pop3
auth default:
  passdb:
    driver: pam
  userdb:
    driver: passwd
-------------------------------------------------------------------
type=AVC msg=audit(1194344144.920:30): avc:  denied  { write } for  pid=6281
comm="dovecot" name="log" dev=dm-1 ino=753665
scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:var_log_t:s0
tclass=dir

[root@holycow ~]# ls -l /var/log/dovecot.log
ls: cannot access /var/log/dovecot.log: No such file or directory

[root@holycow ~]# ls -lZd /var/log
drwxr-xr-x  root root system_u:object_r:var_log_t      /var/log

Running in enforcing mode:
~~~~~~~~~~~~~~~~~~~~~~~~~~
selinux-policy-2.6.4-49.fc7
selinux-policy-targeted-2.6.4-49.fc7

Dovecot should be allowed to create it's log file else it fails. If the bug
needs to be transferred to selinux, then please do so.

Thanks!

Comment 1 Tomas Janousek 2007-11-06 12:16:54 UTC

Yeah, I think I'll reassign to selinux. I'm not sure whether we should allow
this configuration in the policy, though. It might be possible to configure
syslog to output dovecot things to separate logfile, but I don't know whether
syslog is allowed to open non-standard logfiles, either.

Comment 3 Daniel Walsh 2007-11-06 16:02:55 UTC

This is a bug caused by new funtioality in dovecot,  It will be

Fixed in selinux-policy-2.6.4-54.fc7.src.rpm

Comment 4 Tomas Janousek 2007-11-06 16:06:20 UTC

Dan,
there's no problem with default configuration. As vikram said, he manually
configured dovecot to use /var/log/dovecot.log instead of the default syslog.
I'm not sure whether this kind of configuration should be supported in our
selinux-policy, so I'm leaving this up to you.

Regarding versions in f7 and f8, I built 1.0.7 for all fedora branches yesterday
and filed an update for f7 and f8. Now it's up to them which is pushed first.

Comment 5 Daniel Walsh 2007-11-06 16:33:32 UTC

Ok I will allow it since it seems reasonable.

Comment 6 Daniel Walsh 2008-01-30 19:06:07 UTC

Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.