This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 414891 - postfix cannot use dovecot's deliver LDA because of selinux
postfix cannot use dovecot's deliver LDA because of selinux
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.1
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 424091
  Show dependency treegraph
 
Reported: 2007-12-06 16:49 EST by Max Kanat-Alexander
Modified: 2008-05-21 12:06 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:06:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
My local.te (480 bytes, application/octet-stream)
2007-12-07 00:28 EST, Max Kanat-Alexander
no flags Details
Complete Audit Messages (3.97 KB, text/plain)
2007-12-11 14:19 EST, Max Kanat-Alexander
no flags Details

  None (edit)
Description Max Kanat-Alexander 2007-12-06 16:49:49 EST
This bug is identical to bug 413841, but applies to RHEL5.
Comment 1 Max Kanat-Alexander 2007-12-06 17:46:59 EST
Here are the audit messages I get, in particular, on RHEL5:

type=AVC msg=audit(1196975865.063:103435): avc:  denied  { create } for 
pid=13559 comm="deliver" scontext=user_u:system_r:dovecot_deliver_t:s0
tcontext=user_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket


type=AVC msg=audit(1196976790.677:103459): avc:  denied  { getattr } for 
pid=14241 comm="deliver" path="/tmp" dev=sda3 ino=48955393
scontext=user_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

And after those are handled, I get:

type=AVC msg=audit(1196980271.577:79): avc:  denied  { connect } for  pid=4121
comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket
Comment 2 Max Kanat-Alexander 2007-12-06 17:48:58 EST
And also:

type=AVC msg=audit(1196981326.569:87): avc:  denied  { write } for  pid=4480
comm="deliver" name="log" dev=tmpfs ino=6268
scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
Comment 3 Max Kanat-Alexander 2007-12-06 17:53:33 EST
And a few more:


type=AVC msg=audit(1196981431.525:90): avc:  denied  { sendto } for  pid=4530
comm="deliver" path="/dev/log" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket

type=AVC msg=audit(1196981498.470:94): avc:  denied  { write } for  pid=4561
comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket

Some of these extra ones allow deliver to write to syslog.
Comment 4 Daniel Walsh 2007-12-06 20:32:45 EST
If you create a policy module with

policy_module(mydovecot, 1.0)
gen_requires(`
                 type dovecot_deliver;
')

allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
logging_send_syslog_msg(dovecot_deliver_t)


Compile and install it, does it solve your problem?
Comment 5 Max Kanat-Alexander 2007-12-07 00:18:26 EST
(In reply to comment #4)
> If you create a policy module with
> 
> policy_module(mydovecot, 1.0)

  I get a syntax error on that. (And I'm not familiar enough with the .te syntax
to know why.)

Comment 6 Max Kanat-Alexander 2007-12-07 00:28:13 EST
Created attachment 280631 [details]
My local.te

FWIW, this is the local.te that audit2allow generated for me based on the audit
messages I pasted here in this bug.
Comment 7 Daniel Walsh 2007-12-10 18:00:10 EST
Fixed in selinux-policy-2.4.6-107.el5
Comment 8 RHEL Product and Program Management 2007-12-10 18:04:37 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 Max Kanat-Alexander 2007-12-11 14:19:05 EST
Created attachment 284491 [details]
Complete Audit Messages

So, for messages below 256K, dovecot's deliver holds them only in memory, and
you just get the audit messages above.

However, for messages above 256K, it writes them to /tmp. Thus there are more
audit messages generated. I was getting lots of delivery failures locally and
wasn't sure why until I found these audit messages.
Comment 10 Daniel Walsh 2007-12-13 15:34:49 EST
Then this is really a bug in dovecot then, since no system service should write
to /tmp.  /tmp can be written to by users so therefore it should only be written
to by users.  Dovecot should write to /var/run for any temporary storage.

I will fix selinux policy to allow this in RHEL5 but this should be fixed in
future versions of dovecot.

Fixed in selinux-policy-2.4.6-107.el5
Comment 11 Max Kanat-Alexander 2007-12-13 15:42:37 EST
(In reply to comment #10)
> Then this is really a bug in dovecot then, since no system service should write
> to /tmp.  /tmp can be written to by users so therefore it should only be written
> to by users.  Dovecot should write to /var/run for any temporary storage.

  Hrm, or maybe /var/spool/ would be more appropriate. That's what the other
mail services do.
Comment 16 Daniel Walsh 2008-03-29 07:23:54 EDT
Fixed in selinux-policy- 2.4.6-127
Comment 24 errata-xmlrpc 2008-05-21 12:06:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.