Bug 440362 - selinux preventing dovecot from read/write of Maildir files on NFS home
selinux preventing dovecot from read/write of Maildir files on NFS home
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-02 22:52 EDT by Kahlil Hodgson
Modified: 2008-04-11 12:11 EDT (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-11 12:11:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kahlil Hodgson 2008-04-02 22:52:22 EDT
I've had to set my mail server to permissive mode because 
the targeted policy is preventing dovecot's IMAPS server from 
reading or writing files under ~/Maildir on a NFS mounted home.
Postfix seems to be able to put them there without generating warnings.

I set use_nfs_home_dirs=1 and restarted the server but no luck.

<kal@willow:~> getsebool -a | grep nfs
allow_ftpd_use_nfs --> off
allow_nfsd_anon_write --> off
httpd_use_nfs --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
samba_share_nfs --> off
use_nfs_home_dirs --> on
xen_use_nfs --> off
<kal@willow:~> 


Additional Information:

Source Context                unconfined_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                ./dovecot.index.tmp [ file ]
Source                        imap
Source Path                   /usr/libexec/dovecot/imap
Port                          <Unknown>
Host                          willow.finexium.com
Source RPM Packages           dovecot-1.0.13-6.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   use_nfs_home_dirs
Host Name                     willow.finexium.com
Platform                      Linux willow.finexium.com 2.6.24.3-50.fc8 #1 SMP
                              Thu Mar 20 13:39:08 EDT 2008 x86_64 x86_64
Alert Count                   32
First Seen                    Tue Apr  1 17:19:44 2008
Last Seen                     Thu Apr  3 13:30:12 2008
Local ID                      e7cffb6f-1538-4570-88e7-b8fd33b35e8b
Line Numbers                  

Raw Audit Messages            

host=willow.finexium.com type=AVC msg=audit(1207189812.600:7765): avc:  denied 
{ rename } for  pid=24562 comm="imap" name="dovecot.index.tmp" dev=0:11
ino=1284039 scontext=unconfined_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file

host=willow.finexium.com type=SYSCALL msg=audit(1207189812.600:7765):
arch=c000003e syscall=82 success=yes exit=0 a0=6c5f00 a1=6c2720 a2=33 a3=0
items=0 ppid=7444 pid=24562 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="imap"
exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-04-07 23:07:08 EDT

Fixed in selinux-policy-3.0.8-98.fc8
Comment 2 Kahlil Hodgson 2008-04-10 22:37:12 EDT
Thanks for the prompt response :-).  I just installed
selinux-policy-3.0.8-98.fc8 from updates-testing.  Restarted dovecot.  
I'm still get what looks like more or less the same error.  Do I need to reboot
the server or change some contexts?

----

Source Context                unconfined_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                ./1207881004.P25707Q1.willow.finexium.com:2,a [
                              file ]
Source                        imap
Source Path                   /usr/libexec/dovecot/imap
Port                          <Unknown>
Host                          willow.finexium.com
Source RPM Packages           dovecot-1.0.13-6.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-98.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   use_nfs_home_dirs
Host Name                     willow.finexium.com
Platform                      Linux willow.finexium.com 2.6.24.4-64.fc8 #1 SMP
                              Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri Apr 11 12:33:40 2008
Last Seen                     Fri Apr 11 12:33:40 2008
Local ID                      9e6e8a4e-c3f2-4567-8dff-184ace095b56
Line Numbers                  

Raw Audit Messages            

host=willow.finexium.com type=AVC msg=audit(1207881220.66:20717): avc:  denied 
{ rename } for  pid=28086 comm="imap"
name="1207881004.P25707Q1.willow.finexium.com:2,a" dev=0:17 ino=1278217
scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=file

host=willow.finexium.com type=SYSCALL msg=audit(1207881220.66:20717):
arch=c000003e syscall=82 success=yes exit=0 a0=698788 a1=6989f8 a2=75e0
a3=78656e69662e776f items=0 ppid=28076 pid=28086 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="imap"
exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

Comment 3 Kahlil Hodgson 2008-04-10 22:44:18 EDT
Doh! <Kal slaps forehead in acknowledgment of stupidity>

I just installed  selinux-policy-targeted.noarch 0:3.0.8-98.fc8 as well and it
appears to solve the problem :-)

Great work Daniel!  Your efforts at keeping the Fedora community secure are
greatly appreciated.  Must buy you a beer next time you are in Port Melbourne.

Cheers!

Kal

Note You need to log in before you can comment on or make changes to this bug.