Bug 448552 - dovecot gssapi auth needs access to /var/tmp/imap_0
Summary: dovecot gssapi auth needs access to /var/tmp/imap_0
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: dovecot
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-27 16:44 UTC by Kostas Georgiou
Modified: 2008-06-06 08:23 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-06 08:23:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Kostas Georgiou 2008-05-27 16:44:48 UTC
Here are the AVCs when /var/tmp/imap_0 is missing:

type=AVC msg=audit(1211906510.786:25453): avc:  denied  { write } for  pid=18414
comm="dovecot-auth" name="tmp" dev=dm-4 ino=1474561
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1211906510.786:25453): avc:  denied  { add_name } for 
pid=18414 comm="dovecot-auth" name="imap_0"
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1211906510.786:25453): avc:  denied  { create } for 
pid=18414 comm="dovecot-auth" name="imap_0"
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1211906510.786:25453): avc:  denied  { write } for  pid=18414
comm="dovecot-auth" name="imap_0" dev=dm-4 ino=1474669
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

And the AVC after /var/tmp/imap_0 was created from a previous run:
type=AVC msg=audit(1211906312.306:25436): avc:  denied  { read write } for 
pid=18414 comm="dovecot-auth" name="imap_0" dev=dm-4 ino=1474670
scontext=unconfined_u:system_r:dovecot_auth_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

Comment 1 Daniel Walsh 2008-05-27 17:21:42 UTC
What is this file and what is it's purpose?

Comment 2 Kostas Georgiou 2008-05-27 18:05:52 UTC
Well my kerberos knowledge isn't great but here it goes:
All kerberos services use a service principal of the form service/hostname to
authenticate themselves to the applications. At startup (and every time the
ticket expires) they authenticate with the kerberos server and get a new ticket
which is stored in the ticket cache /var/tmp/service_uid. 

Here is an list of ticket caches that I have under /var/tmp from various machines
-rw-------  root root system_u:object_r:krb5_host_rcache_t:s0 host_0
-rw-------  cyrus mail unconfined_u:object_r:cyrus_tmp_t:s0 imap_76
-rw-------  root root system_u:object_r:kadmind_tmp_t:s0 kadmin_0
-rw-------  root root unconfined_u:object_r:krb5kdc_tmp_t:s0 krb5kdc_rcache
-rw-------  ldap ldap root:object_r:slapd_tmp_t:s0     ldap_55
-rw-------  root root system_u:object_r:gssd_tmp_t:s0  nfs_0
-rw-------  cyrus mail system_u:object_r:cyrus_tmp_t:s0 sieve_76
-rw-------  root root unconfined_u:object_r:tmp_t      imap_0

Note the imap_76 (cyrus imap server which runs as cyrus by default) and imap_0
from dovecot which runs as root (if the dovecore auth process isn't running as
root it might show as imap_97 as well but I haven't tried that). If pop is
enabled dovecot will probably need access to pop_XX as well but I don't run pop
so I can't confirm this.

I hope this makes sense.

Comment 3 Daniel Walsh 2008-05-27 18:15:53 UTC
Fixed in selinux-policy-3.3.1-56.fc9


Note You need to log in before you can comment on or make changes to this bug.