Bug 424091 - postfix cannot use dovecot's deliver LDA because of selinux
postfix cannot use dovecot's deliver LDA because of selinux
Product: Fedora
Classification: Fedora
Component: dovecot (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Dan Horák
Fedora Extras Quality Assurance
Depends On: 414891
  Show dependency treegraph
Reported: 2007-12-13 15:35 EST by Daniel Walsh
Modified: 2008-06-04 12:28 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-04 12:28:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2007-12-13 15:35:39 EST
+++ This bug was initially created as a clone of Bug #414891 +++

This bug is identical to bug 413841, but applies to RHEL5.

-- Additional comment from mkanat@bugzilla.org on 2007-12-06 17:46 EST --
Here are the audit messages I get, in particular, on RHEL5:

type=AVC msg=audit(1196975865.063:103435): avc:  denied  { create } for 
pid=13559 comm="deliver" scontext=user_u:system_r:dovecot_deliver_t:s0
tcontext=user_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket

type=AVC msg=audit(1196976790.677:103459): avc:  denied  { getattr } for 
pid=14241 comm="deliver" path="/tmp" dev=sda3 ino=48955393
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

And after those are handled, I get:

type=AVC msg=audit(1196980271.577:79): avc:  denied  { connect } for  pid=4121
comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket

-- Additional comment from mkanat@bugzilla.org on 2007-12-06 17:48 EST --
And also:

type=AVC msg=audit(1196981326.569:87): avc:  denied  { write } for  pid=4480
comm="deliver" name="log" dev=tmpfs ino=6268
tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file

-- Additional comment from mkanat@bugzilla.org on 2007-12-06 17:53 EST --
And a few more:

type=AVC msg=audit(1196981431.525:90): avc:  denied  { sendto } for  pid=4530
comm="deliver" path="/dev/log" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket

type=AVC msg=audit(1196981498.470:94): avc:  denied  { write } for  pid=4561
comm="deliver" scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=unix_dgram_socket

Some of these extra ones allow deliver to write to syslog.

-- Additional comment from dwalsh@redhat.com on 2007-12-06 20:32 EST --
If you create a policy module with

policy_module(mydovecot, 1.0)
                 type dovecot_deliver;

allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;

Compile and install it, does it solve your problem?

-- Additional comment from mkanat@bugzilla.org on 2007-12-07 00:18 EST --
(In reply to comment #4)
> If you create a policy module with
> policy_module(mydovecot, 1.0)

  I get a syntax error on that. (And I'm not familiar enough with the .te syntax
to know why.)

-- Additional comment from mkanat@bugzilla.org on 2007-12-07 00:28 EST --
Created an attachment (id=280631)
My local.te

FWIW, this is the local.te that audit2allow generated for me based on the audit
messages I pasted here in this bug.

-- Additional comment from dwalsh@redhat.com on 2007-12-10 18:00 EST --
Fixed in selinux-policy-2.4.6-107.el5

-- Additional comment from pm-rhel@redhat.com on 2007-12-10 18:04 EST --
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

-- Additional comment from mkanat@bugzilla.org on 2007-12-11 14:19 EST --
Created an attachment (id=284491)
Complete Audit Messages

So, for messages below 256K, dovecot's deliver holds them only in memory, and
you just get the audit messages above.

However, for messages above 256K, it writes them to /tmp. Thus there are more
audit messages generated. I was getting lots of delivery failures locally and
wasn't sure why until I found these audit messages.

-- Additional comment from dwalsh@redhat.com on 2007-12-13 15:34 EST --
Then this is really a bug in dovecot then, since no system service should write
to /tmp.  /tmp can be written to by users so therefore it should only be written
to by users.  Dovecot should write to /var/run for any temporary storage.

I will fix selinux policy to allow this in RHEL5 but this should be fixed in
future versions of dovecot.

Fixed in selinux-policy-2.4.6-107.el5
Comment 1 Dan Horák 2008-05-07 02:44:54 EDT
Dan, the fix for dovecot is really simple, but could you give me a pointer to
some documentation for the statement "no system service should write into /tmp"?
So I can send the patch upstream together with an explanation.
Comment 2 Bug Zapper 2008-05-14 00:11:56 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 3 Dan Horák 2008-05-29 06:45:18 EDT
info about using /tmp are at http://danwalsh.livejournal.com/11467.html
Comment 4 Dan Horák 2008-06-04 05:59:16 EDT
I have taken this issue upstream and the answer is at
http://www.dovecot.org/list/dovecot/2008-May/031080.html The deliver utility is
a standalone program that gets called from MTA like postfix to provide local
delivery into mailboxes that can take advantage from dovecot's file formats. So
it is run from the MTA under its uid or even under the uids of individual local
users and that could excuse the usage of /tmp. I think that from this point of
view it is correct to use the RHEL approach also in Fedora - add
dovecot_deliver_* types, etc.
Comment 5 Daniel Walsh 2008-06-04 11:24:38 EDT
dovecot deliver types exist.

Note You need to log in before you can comment on or make changes to this bug.