Bug 368061 - dovecot-1.0.6-0_62.fc7 start fails in selinux targeted enforcing mode
Summary: dovecot-1.0.6-0_62.fc7 start fails in selinux targeted enforcing mode
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 7
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-11-06 10:42 UTC by vikram goyal
Modified: 2008-01-30 19:06 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 19:06:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description vikram goyal 2007-11-06 10:42:54 UTC
Description of problem:
Starting dovecot fails as it cannot create dovecot.log in /var/log/

Version-Release number of selected component (if applicable):

How reproducible:
Unhash log_path: /var/log/dovecot.log in /etc/dovecot.conf and start dovecot service

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
[root@holycow ~]# dovecot -n
# 1.0.6: /etc/dovecot.conf
log_path: /var/log/dovecot.log
protocols: pop3s
ssl_cert_file: /etc/pki/tls/certs/dovecot.pem
ssl_key_file: /etc/pki/tls/certs/dovecot.pem
disable_plaintext_auth: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/libexec/dovecot/pop3-login
mail_executable: /usr/libexec/dovecot/pop3
mail_plugin_dir: /usr/lib/dovecot/pop3
auth default:
    driver: pam
    driver: passwd
type=AVC msg=audit(1194344144.920:30): avc:  denied  { write } for  pid=6281
comm="dovecot" name="log" dev=dm-1 ino=753665
scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:var_log_t:s0

[root@holycow ~]# ls -l /var/log/dovecot.log
ls: cannot access /var/log/dovecot.log: No such file or directory

[root@holycow ~]# ls -lZd /var/log
drwxr-xr-x  root root system_u:object_r:var_log_t      /var/log

Running in enforcing mode:

Dovecot should be allowed to create it's log file else it fails. If the bug
needs to be transferred to selinux, then please do so.


Comment 1 Tomas Janousek 2007-11-06 12:16:54 UTC
Yeah, I think I'll reassign to selinux. I'm not sure whether we should allow
this configuration in the policy, though. It might be possible to configure
syslog to output dovecot things to separate logfile, but I don't know whether
syslog is allowed to open non-standard logfiles, either.

Comment 3 Daniel Walsh 2007-11-06 16:02:55 UTC
This is a bug caused by new funtioality in dovecot,  It will be

Fixed in selinux-policy-2.6.4-54.fc7.src.rpm

Comment 4 Tomas Janousek 2007-11-06 16:06:20 UTC
there's no problem with default configuration. As vikram said, he manually
configured dovecot to use /var/log/dovecot.log instead of the default syslog.
I'm not sure whether this kind of configuration should be supported in our
selinux-policy, so I'm leaving this up to you.

Regarding versions in f7 and f8, I built 1.0.7 for all fedora branches yesterday
and filed an update for f7 and f8. Now it's up to them which is pushed first.

Comment 5 Daniel Walsh 2007-11-06 16:33:32 UTC
Ok I will allow it since it seems reasonable.

Comment 6 Daniel Walsh 2008-01-30 19:06:07 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.