Bug 448552 - dovecot gssapi auth needs access to /var/tmp/imap_0
dovecot gssapi auth needs access to /var/tmp/imap_0
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: dovecot (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Dan Horák
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-27 12:44 EDT by Kostas Georgiou
Modified: 2008-06-06 04:23 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-06 04:23:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kostas Georgiou 2008-05-27 12:44:48 EDT
Here are the AVCs when /var/tmp/imap_0 is missing:

type=AVC msg=audit(1211906510.786:25453): avc:  denied  { write } for  pid=18414
comm="dovecot-auth" name="tmp" dev=dm-4 ino=1474561
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1211906510.786:25453): avc:  denied  { add_name } for 
pid=18414 comm="dovecot-auth" name="imap_0"
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1211906510.786:25453): avc:  denied  { create } for 
pid=18414 comm="dovecot-auth" name="imap_0"
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1211906510.786:25453): avc:  denied  { write } for  pid=18414
comm="dovecot-auth" name="imap_0" dev=dm-4 ino=1474669
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

And the AVC after /var/tmp/imap_0 was created from a previous run:
type=AVC msg=audit(1211906312.306:25436): avc:  denied  { read write } for 
pid=18414 comm="dovecot-auth" name="imap_0" dev=dm-4 ino=1474670
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Comment 1 Daniel Walsh 2008-05-27 13:21:42 EDT
What is this file and what is it's purpose?
Comment 2 Kostas Georgiou 2008-05-27 14:05:52 EDT
Well my kerberos knowledge isn't great but here it goes:
All kerberos services use a service principal of the form service/hostname to
authenticate themselves to the applications. At startup (and every time the
ticket expires) they authenticate with the kerberos server and get a new ticket
which is stored in the ticket cache /var/tmp/service_uid. 

Here is an list of ticket caches that I have under /var/tmp from various machines
-rw-------  root root system_u:object_r:krb5_host_rcache_t:s0 host_0
-rw-------  cyrus mail unconfined_u:object_r:cyrus_tmp_t:s0 imap_76
-rw-------  root root system_u:object_r:kadmind_tmp_t:s0 kadmin_0
-rw-------  root root unconfined_u:object_r:krb5kdc_tmp_t:s0 krb5kdc_rcache
-rw-------  ldap ldap root:object_r:slapd_tmp_t:s0     ldap_55
-rw-------  root root system_u:object_r:gssd_tmp_t:s0  nfs_0
-rw-------  cyrus mail system_u:object_r:cyrus_tmp_t:s0 sieve_76
-rw-------  root root unconfined_u:object_r:tmp_t      imap_0

Note the imap_76 (cyrus imap server which runs as cyrus by default) and imap_0
from dovecot which runs as root (if the dovecore auth process isn't running as
root it might show as imap_97 as well but I haven't tried that). If pop is
enabled dovecot will probably need access to pop_XX as well but I don't run pop
so I can't confirm this.

I hope this makes sense.
Comment 3 Daniel Walsh 2008-05-27 14:15:53 EDT
Fixed in selinux-policy-3.3.1-56.fc9

Note You need to log in before you can comment on or make changes to this bug.