Bug 506880 - SELinux denial : dovecot vs. samba_share_t - mounted not relevant directories
SELinux denial : dovecot vs. samba_share_t - mounted not relevant directories
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: dovecot (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Michal Hlavinka
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-19 01:00 EDT by Braden McDaniel
Modified: 2010-04-22 07:45 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-22 07:45:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/etc/dovecot.conf (49.46 KB, application/octet-stream)
2009-06-19 10:46 EDT, Braden McDaniel
no flags Details
'getsetbool -a' output (6.81 KB, text/plain)
2009-10-26 11:45 EDT, Pavel Zhukov
no flags Details

  None (edit)
Description Braden McDaniel 2009-06-19 01:00:08 EDT
Description of problem:
I'm getting SELinux denial messages when I read mail in Evolution on a local IMAP server:

  SELinux is preventing dovecot (dovecot_t) "getattr" samba_share_t.

Version-Release number of selected component (if applicable):
1.2-0.rc3.1.fc11

How reproducible:
Consistently.

Additional info:

Here is the complete alert text:


Summary:

SELinux is preventing dovecot (dovecot_t) "getattr" samba_share_t.

Detailed Description:

SELinux denied access requested by dovecot. It is not expected that this access
is required by dovecot and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:samba_share_t:s0
Target Objects                /share [ dir ]
Source                        dovecot
Source Path                   /usr/sbin/dovecot
Port                          <Unknown>
Host                          hinge.endoframe.net
Source RPM Packages           dovecot-1.2-0.rc3.1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-45.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hinge.endoframe.net
Platform                      Linux hinge.endoframe.net 2.6.29.4-167.fc11.x86_64
                              #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 19 Jun 2009 12:51:35 AM EDT
Last Seen                     Fri 19 Jun 2009 12:51:35 AM EDT
Local ID                      75a547fe-3b15-482e-926e-79d8f931bf1a
Line Numbers                  

Raw Audit Messages            

node=hinge.endoframe.net type=AVC msg=audit(1245387095.321:34828): avc:  denied  { getattr } for  pid=5631 comm="dovecot" path="/share" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir

node=hinge.endoframe.net type=SYSCALL msg=audit(1245387095.321:34828): arch=c000003e syscall=4 success=no exit=-13 a0=e98bdd a1=7fff2bb16180 a2=7fff2bb16180 a3=3 items=0 ppid=5592 pid=5631 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=(null)
Comment 1 Michal Hlavinka 2009-06-19 09:36:42 EDT
thanks for the report, can you please attach your /etc/dovecot.conf file and output of:

mount

thanks
Comment 2 Braden McDaniel 2009-06-19 10:46:17 EDT
Created attachment 348673 [details]
/etc/dovecot.conf
Comment 3 Braden McDaniel 2009-06-19 10:47:48 EDT
$ mount
/dev/sda3 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/mapper/VolGroup00-lvol1 on /revisions type ext4 (rw)
/dev/sda1 on /boot type ext3 (rw)
/dev/mapper/VolGroup00-lvol2 on /share type ext4 (rw)
/dev/mapper/VolGroup00-lvol0 on /home type ext4 (rw)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
gvfs-fuse-daemon on /home/braden/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=braden)
Comment 4 Michal Hlavinka 2009-07-01 08:32:53 EDT
well... this seems odd, why have /share samba context... and especially why dovecot tries to access /share. I can't see anything related to /share in dovecot.conf 

What is /share used for in your system? Do you have know why dovecot should look to /share? Do you use any symbolic links or something?
Comment 5 Braden McDaniel 2009-07-01 14:29:33 EDT
/share has the samba context because it's shared using samba.

I have no idea why dovecot would be looking there.  As you can see, the dovecot configuration has very few changes from the Fedora installation defaults.  IMAP folders are in ~/Maildir, configuration is in /etc.
Comment 6 Michal Hlavinka 2009-07-07 09:55:24 EDT
What do you use /share for? Is it possible there can be something related to dovecot? Do you use any dovecot sieve plugin? Is your system used only for one user or there are more users, working remotely at the same time? Could you try to find out where exactly this selinux message occurs? logging in, opening email, deleting, moving, sending,...
Comment 7 Michal Hlavinka 2009-08-27 07:26:32 EDT
this bug is in needinfo state for almost one month. Without requested information, it will be closed next week as INSUFFICIENT_DATA
Comment 8 Braden McDaniel 2009-08-27 11:43:49 EDT
/share is made available as an NFS and Samba mount.  There are some symlinks from various places in my home directory to things in /share; but just arbitrary places that I wouldn't expect dovecot to look (e.g., ~/Packages is a symlink to /share/Packages).

I am using dovecot-sieve-1.2.0-1.

There is only one remote user.

It appears to happen when checking e-mail the first time after dovecot has been (re)started; though I seem unable to reproduce it 100% of the time.
Comment 9 Michal Hlavinka 2009-08-28 10:19:11 EDT
please attach dovecot's log (/var/log/maillog)

if you are using selinux in enforcing mode ('getenforce' returns Enforcing), does this selinux denial prevents dovecot from functioning or it works without any problem?

if you are using selinux in permissive mode, try to umount /share (if possible), read your emails and check for error messages in dovecot's log
Comment 10 Pavel Zhukov 2009-10-25 01:27:51 EDT
I have the same problem.
Red Hat Enterprise Linux 5.4
I installed samba yesterday and share /mnt/hard only. After this dovecot (IMAPs) don't work properly.

/var/log/messages
setroubleshoot: SELinux is preventing imap (dovecot_t) "search" to ./mail (samba_share_t). For complete SELinux messages. run sealert -l 4f85fc01-efbc-4315-9e01-909407e00986

/var/log/maiillog

Oct 25 08:10:13 ipa dovecot: auth(default): client in: AUTH     1       PLAIN   service=IMAP    secured lip=::ffff:192.168.0.1  rip=::ffff:192.168.0.2  resp=<hidden>
Oct 25 08:10:13 ipa dovecot: auth(default): pam(user,::ffff:192.168.0.2): lookup service=dovecot
Oct 25 08:10:14 ipa dovecot: auth(default): client out: OK      1       user=user
Oct 25 08:10:14 ipa dovecot: auth(default): master in: REQUEST  6       8057    1
Oct 25 08:10:14 ipa dovecot: auth(default): passwd(user,::ffff:192.168.0.2): lookup
Oct 25 08:10:14 ipa dovecot: auth(default): master out: USER    6       user   system_user=user       uid=1000        gid=500 home=/home/user
Oct 25 08:10:14 ipa dovecot: imap-login: Login: user=<user>, method=PLAIN, rip=::ffff:192.168.0.2, lip=::ffff:192.168.0.1, TLS
Oct 25 08:10:14 ipa dovecot: IMAP(user): Effective uid=1000, gid=500, home=/home/user
Oct 25 08:10:14 ipa dovecot: IMAP(user): maildir autodetect: stat(/var/spool/mail/user/cur) failed: Permission denied
Oct 25 08:10:14 ipa dovecot: IMAP(user): mbox autodetect: data=/var/spool/mail/user
Oct 25 08:10:14 ipa dovecot: IMAP(user): mbox autodetect: INBOX file: stat(/var/spool/mail/user) failed: Permission denied
Oct 25 08:10:14 ipa dovecot: IMAP(user): mbox autodetect: has .imap/: stat(/var/spool/mail/user/.imap) failed: Permission denied
Oct 25 08:10:14 ipa dovecot: IMAP(user): mbox autodetect: has inbox: stat(/var/spool/mail/user/inbox) failed: Permission denied
Oct 25 08:10:14 ipa dovecot: IMAP(user): mbox autodetect: has mbox: stat(/var/spool/mail/user/mbox) failed: Permission denied
Oct 25 08:10:14 ipa dovecot: IMAP(user): Ambiguous mail location setting, don't know what to do with it: /var/spool/mail/user (try prefixing it with mbox: or maildir:)
Oct 25 08:10:14 ipa dovecot: IMAP(user): Mail storage creation failed with mail_location: /var/spool/mail/user
Oct 25 08:10:14 ipa dovecot: child 8068 (imap) returned error 89

/etc/dovecot,conf
mail_location =/var/spool/mail/%u


If I disable SELinux (setenforce 0) dovecot work properly.
Comment 11 Michal Hlavinka 2009-10-26 10:17:42 EDT
Hi, I've tried to reproduce with these steps:

1) installed dovecot, changed mail_location to /var/spool/mail/%u
2) created /mnt/hard with some content and changed it's context to system_u:object_r:samba_share_t:s0
3) added new testuser
4) configured samba to export /mnt/hard, set up test user's passwords
5) started samba and dovecot
6) sent some email to this user, remove mailbox, restarted dovecot, sent mail again
7) open mail with mail client

but was not able to reproduce this. Do you see any major difference between my steps and your configuration?

Can you trace down what exactly causes this problem? Starting dovecot? Logging in as some user? Sending email? Or something else... ?


please attach output of:

getsebool -a

thanks
Comment 12 Pavel Zhukov 2009-10-26 11:45:48 EDT
Created attachment 366116 [details]
'getsetbool -a' output
Comment 13 Pavel Zhukov 2009-10-26 11:48:49 EDT
Hi, 

Some strange things:

[root@ipa ~]# ls -Z /var/spool/ | grep mail
drwxrwxr-x  root   mail   system_u:object_r:samba_share_t  mail
[root@ipa ~]# restorecon /var/spool/mail
[root@ipa ~]# ls -Z /var/spool/ | grep mail
drwxrwxr-x  root   mail   system_u:object_r:samba_share_t  mail


What content must mail dir have?
Comment 14 Pavel Zhukov 2009-10-26 11:52:39 EDT
So, I have done 

# chcon -t mail_spool_t /var/spool/mail

After this dovecot work properly. Why content of /var/spool/mail have been changed?
Comment 15 Michal Hlavinka 2009-10-29 06:42:36 EDT
thats odd, looks like some selinux policy is wrong. cc-ing mgrepl for selinux part
Comment 16 Miroslav Grepl 2009-11-19 10:07:40 EST
I am not sure how the /var/spool/mail directory got this bad label. What is your output of command:

matchpathcon /var/spool/mail
Comment 17 Michal Hlavinka 2010-04-22 07:45:59 EDT
Needinfo state for more than one month. Closing as INSUFFICIENT_DATA, if you still see this bug and can provide requested info, feel free to reopen.

Note You need to log in before you can comment on or make changes to this bug.