+++ This bug was initially created as a clone of Bug #414891 +++ This bug is identical to bug 413841, but applies to RHEL5. -- Additional comment from mkanat on 2007-12-06 17:46 EST -- Here are the audit messages I get, in particular, on RHEL5: type=AVC msg=audit(1196975865.063:103435): avc: denied { create } for pid=13559 comm="deliver" scontext=user_u:system_r:dovecot_deliver_t:s0 tcontext=user_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1196976790.677:103459): avc: denied { getattr } for pid=14241 comm="deliver" path="/tmp" dev=sda3 ino=48955393 scontext=user_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir And after those are handled, I get: type=AVC msg=audit(1196980271.577:79): avc: denied { connect } for pid=4121 comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket -- Additional comment from mkanat on 2007-12-06 17:48 EST -- And also: type=AVC msg=audit(1196981326.569:87): avc: denied { write } for pid=4480 comm="deliver" name="log" dev=tmpfs ino=6268 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file -- Additional comment from mkanat on 2007-12-06 17:53 EST -- And a few more: type=AVC msg=audit(1196981431.525:90): avc: denied { sendto } for pid=4530 comm="deliver" path="/dev/log" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1196981498.470:94): avc: denied { write } for pid=4561 comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket Some of these extra ones allow deliver to write to syslog. -- Additional comment from dwalsh on 2007-12-06 20:32 EST -- If you create a policy module with policy_module(mydovecot, 1.0) gen_requires(` type dovecot_deliver; ') allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; logging_send_syslog_msg(dovecot_deliver_t) Compile and install it, does it solve your problem? -- Additional comment from mkanat on 2007-12-07 00:18 EST -- (In reply to comment #4) > If you create a policy module with > > policy_module(mydovecot, 1.0) I get a syntax error on that. (And I'm not familiar enough with the .te syntax to know why.) -- Additional comment from mkanat on 2007-12-07 00:28 EST -- Created an attachment (id=280631) My local.te FWIW, this is the local.te that audit2allow generated for me based on the audit messages I pasted here in this bug. -- Additional comment from dwalsh on 2007-12-10 18:00 EST -- Fixed in selinux-policy-2.4.6-107.el5 -- Additional comment from pm-rhel on 2007-12-10 18:04 EST -- This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. -- Additional comment from mkanat on 2007-12-11 14:19 EST -- Created an attachment (id=284491) Complete Audit Messages So, for messages below 256K, dovecot's deliver holds them only in memory, and you just get the audit messages above. However, for messages above 256K, it writes them to /tmp. Thus there are more audit messages generated. I was getting lots of delivery failures locally and wasn't sure why until I found these audit messages. -- Additional comment from dwalsh on 2007-12-13 15:34 EST -- Then this is really a bug in dovecot then, since no system service should write to /tmp. /tmp can be written to by users so therefore it should only be written to by users. Dovecot should write to /var/run for any temporary storage. I will fix selinux policy to allow this in RHEL5 but this should be fixed in future versions of dovecot. Fixed in selinux-policy-2.4.6-107.el5
Dan, the fix for dovecot is really simple, but could you give me a pointer to some documentation for the statement "no system service should write into /tmp"? So I can send the patch upstream together with an explanation.
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
info about using /tmp are at http://danwalsh.livejournal.com/11467.html
I have taken this issue upstream and the answer is at http://www.dovecot.org/list/dovecot/2008-May/031080.html The deliver utility is a standalone program that gets called from MTA like postfix to provide local delivery into mailboxes that can take advantage from dovecot's file formats. So it is run from the MTA under its uid or even under the uids of individual local users and that could excuse the usage of /tmp. I think that from this point of view it is correct to use the RHEL approach also in Fedora - add dovecot_deliver_* types, etc.
dovecot deliver types exist.