Bug 529791 - SELinux prevented imap from reading and writing files stored on a NFS filesytem.
Summary: SELinux prevented imap from reading and writing files stored on a NFS filesytem.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-20 02:31 UTC by Chris Evich
Modified: 2010-02-05 01:16 UTC (History)
1 user (show)

Fixed In Version: 3.6.12-94.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-05 01:16:34 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
dovecot configuration (50.26 KB, application/octet-stream)
2009-10-20 02:31 UTC, Chris Evich
no flags Details

Description Chris Evich 2009-10-20 02:31:48 UTC
Created attachment 365302 [details]
dovecot configuration

Description of problem:
NFSv4 sec=krb5p export of home directories from another system.  Dovecot configured for gssapi authn. NSS userdb with mail_location = maildir:~/Maildir:LAYOUT=fs.  

Version-Release number of selected component (if applicable):
dovecot-1.2.5-1.fc11.x86_64
selinux-policy-targeted-3.6.12-85.fc11.noarch

How reproducible:
Very

Steps to Reproduce:
1. Mount a nfsv4 sec=krb5p /home
2. configure dovecot for maildir:~/Maildir:LAYOUT=fs
3. Attempt to access imap server
  
Actual results:

/var/log/maillog:
Oct 19 22:04:33 abcd dovecot: Dovecot v1.2.5 starting up (core dumps disabled)
Oct 19 22:04:43 abcd dovecot: imap-login: Login: user=<xxxxxxxx>, method=GSSAPI, rip=xxx.xxx.xxx.xxx, lip=yyy.yyy.yyy.yyy, TLS
Oct 19 22:04:43 abcd dovecot: IMAP(xxxxxxxx): mkdir(/home/xxxxxxxx/Maildir/INBOX/cur) failed: Permission denied (euid=1000(xxxxxxxx) egid=1000(xxxxxxxx) missing +w perm: /home/xxxxxxxx)

/var/log/messages:
Oct 19 22:04:50 abcd setroubleshoot: SELinux prevented imap from reading and writing files stored on a NFS filesytem. For complete SELinux messages. run sealert -l 8b128e4f-4ab2-4c6a-a759-7d66d634c193

# sealert -l 8b128e4f-4ab2-4c6a-a759-7d66d634c193

Summary:

SELinux prevented imap from reading and writing files stored on a NFS filesytem.

Detailed Description:

SELinux prevented imap from reading and writing files stored on a NFS
...
from a NFS filesystem this access attempt could signal an intrusion attempt.

Allowing Access:

Changing the "use_nfs_home_dirs" boolean to true will allow this access:
"setsebool -P use_nfs_home_dirs=1"

Fix Command:

setsebool -P use_nfs_home_dirs=1

Additional Information:

Source Context                unconfined_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                xxxxxxxx [ dir ]
Source                        imap
Source Path                   /usr/libexec/dovecot/imap
Port                          <Unknown>
Host                          abcd.defg.com
Source RPM Packages           dovecot-1.2.5-1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-85.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   use_nfs_home_dirs
Host Name                     abcd.defg.com
Platform                      Linux abcd.defg.com 2.6.30.8-64.fc11.x86_64 #1
                              SMP Fri Sep 25 04:43:32 EDT 2009 x86_64 x86_64
Alert Count                   8
First Seen                    Mon Oct 19 22:01:03 2009
Last Seen                     Mon Oct 19 22:04:43 2009
Local ID                      8b128e4f-4ab2-4c6a-a759-7d66d634c193
Line Numbers                  

Raw Audit Messages            

node=abcd.defg.com type=AVC msg=audit(1256004283.609:79): avc:  denied  { write } for  pid=3506 comm="imap" name="xxxxxxxx" dev=0:14 ino=65537 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

node=abcd.defg.com type=SYSCALL msg=audit(1256004283.609:79): arch=c000003e syscall=21 success=no exit=-13 a0=1e30730 a1=2 a2=1e30490 a3=7fffd86ca810 items=0 ppid=3497 pid=3506 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=5 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

# getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on

Expected results:
No AVC denial, dovecot process allowed to read/write to ~/Maildir effectivly as the user euid=1000(xxxxxxxx) egid=1000(xxxxxxxx).

Additional info:
Restarted NFS and dovecot services after setting use_nfs_home_dirs --> on
Setting selinux into permissive mode allows dovecot to do what it needs to in ~/Maildir and appears to function normally.

Comment 1 Daniel Walsh 2009-10-20 12:34:31 UTC
Is this a normal/common way to setup dovecot?

Comment 2 Daniel Walsh 2009-10-20 12:37:56 UTC
Fixed in selinux-policy-3.6.32-30.fc12.noarch

Comment 3 Mike Grant 2009-12-22 20:32:34 UTC
Still seeing something like this with selinux-policy-3.6.32-56.fc12.noarch (Fedora 12 updates).

Our configuration is a little different (NFSv3, NIS auth, otherwise similar) but probably not in the significant aspects.

Works fine in permissive mode.

-------------

Summary:

SELinux prevented imap from reading and writing files stored on a NFS filesytem.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux prevented imap from reading and writing files stored on a NFS
filesystem. NFS (Network Filesystem) is a network filesystem commonly used on
Unix / Linux systems. imap attempted to read one or more files or directories
from a mounted filesystem of this type. As NFS filesystems do not support
fine-grained SELinux labeling, all files and directories in the filesystem will
have the same security context. If you have not configured imap to read files
from a NFS filesystem this access attempt could signal an intrusion attempt.

Allowing Access:

Changing the "use_nfs_home_dirs" boolean to true will allow this access:
"setsebool -P use_nfs_home_dirs=1"

Fix Command:

setsebool -P use_nfs_home_dirs=1

Additional Information:

Source Context                unconfined_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                new [ dir ]
Source                        imap
Source Path                   /usr/libexec/dovecot/imap
Port                          <Unknown>
Host                          pmpc889.npm.ac.uk
Source RPM Packages           dovecot-1.2.8-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-56.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   use_nfs_home_dirs
Host Name                     pmpc889.npm.ac.uk
Platform                      Linux pmpc889.npm.ac.uk 2.6.31.6-162.fc12.x86_64
                              #1 SMP Fri Dec 4 00:06:26 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Dec 22 19:09:30 2009
Last Seen                     Tue Dec 22 19:09:30 2009
Local ID                      0e380510-2bee-42c8-a2a3-d300f2791f0d
Line Numbers                  

Raw Audit Messages            

node=pmpc889.npm.ac.uk type=AVC msg=audit(1261508970.906:304022): avc:  denied  { write } for  pid=23592 comm="imap" name="new" dev=0:1d ino=55870087 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

node=pmpc889.npm.ac.uk type=SYSCALL msg=audit(1261508970.906:304022): arch=c000003e syscall=92 success=yes exit=0 a0=a2a370 a1=ffffffff a2=ffffffff a3=fffffff7 items=0 ppid=23261 pid=23592 auid=17079 uid=17079 gid=15057 euid=17079 suid=17079 fsuid=17079 egid=15057 sgid=15057 fsgid=15057 tty=(none) ses=7380 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

Comment 4 Daniel Walsh 2009-12-22 20:40:22 UTC
Your right.  I gave the permission to dovecot-deliver.



You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-63.fc12.noarch

Comment 5 Mike Grant 2010-01-06 18:47:56 UTC
Confirmed working in enforcing mode with selinux-policy-3.6.32-63.fc12.noarch.  Thanks very much :)

Comment 6 Mike Grant 2010-01-07 10:57:48 UTC
Oops, working except for creating / renaming mail folders.  use_nfs_home_dirs is on.


= creation =
Summary:
SELinux prevented imap from reading and writing files stored on a NFS filesytem.

Allowing Access:
Changing the "use_nfs_home_dirs" boolean to true will allow this access:
"setsebool -P use_nfs_home_dirs=1"

Additional Information:

Source Context                unconfined_u:system_r:dovecot_t:s0
Target Context                unconfined_u:object_r:nfs_t:s0
Target Objects                .Mailing lists.test [ dir ]
Source                        imap
Source Path                   /usr/libexec/dovecot/imap
Port                          <Unknown>
Host                          pmpc889.npm.ac.uk
Source RPM Packages           dovecot-1.2.9-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-63.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   use_nfs_home_dirs
Host Name                     pmpc889.npm.ac.uk
Platform                      Linux pmpc889.npm.ac.uk 2.6.31.9-174.fc12.x86_64
                              #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 07 Jan 2010 10:46:46 GMT
Last Seen                     Thu 07 Jan 2010 10:46:46 GMT
Local ID                      a4c16790-18c4-4654-be85-d6e80b651ee9
Line Numbers                  

Raw Audit Messages            

node=pmpc889.npm.ac.uk type=AVC msg=audit(1262861206.416:16140): avc:  denied  { create } for  pid=17683 comm="imap" name=2E4D61696C696E67206C697374732E74657374 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:nfs_t:s0 tclass=dir

node=pmpc889.npm.ac.uk type=SYSCALL msg=audit(1262861206.416:16140): arch=c000003e syscall=83 success=no exit=-13 a0=281a4e8 a1=1c0 a2=ffffffff a3=676e696c69614d2e items=0 ppid=11886 pid=17683 auid=17079 uid=17079 gid=15057 euid=17079 suid=17079 fsuid=17079 egid=15057 sgid=15057 fsgid=15057 tty=(none) ses=62 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

= rename (move) =

Additional Information:

Source Context                unconfined_u:system_r:dovecot_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                .Mailing lists.NDG.Fullmoon [ dir ]
Source                        imap
Source Path                   /usr/libexec/dovecot/imap
Port                          <Unknown>
Host                          pmpc889.npm.ac.uk
Source RPM Packages           dovecot-1.2.9-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-63.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   use_nfs_home_dirs
Host Name                     pmpc889.npm.ac.uk
Platform                      Linux pmpc889.npm.ac.uk 2.6.31.9-174.fc12.x86_64
                              #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 07 Jan 2010 10:45:44 GMT
Last Seen                     Thu 07 Jan 2010 10:45:44 GMT
Local ID                      0694f8c2-36ed-4d52-9649-4161be5739be
Line Numbers                  

Raw Audit Messages            

node=pmpc889.npm.ac.uk type=AVC msg=audit(1262861144.928:16139): avc:  denied  { rename } for  pid=17683 comm="imap" name=2E4D61696C696E67206C697374732E4E44472E46756C6C6D6F6F6E dev=0:1d ino=55870717 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

node=pmpc889.npm.ac.uk type=SYSCALL msg=audit(1262861144.928:16139): arch=c000003e syscall=82 success=no exit=-13 a0=281a468 a1=281a4a0 a2=281a010 a3=ffffffea items=0 ppid=11886 pid=17683 auid=17079 uid=17079 gid=15057 euid=17079 suid=17079 fsuid=17079 egid=15057 sgid=15057 fsgid=15057 tty=(none) ses=62 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

Comment 7 Daniel Walsh 2010-01-07 13:31:57 UTC
Oops,

Miroslav need to add

	fs_manage_nfs_dirs(dovecot_deliver_t)
	fs_manage_nfs_dirs(dovecot_t)
...
	fs_manage_cifs_dirs(dovecot_deliver_t)
	fs_manage_cifs_dirs(dovecot_t)

BTW, These sections need to be added to RHEL5, as well as F11, and F12.

Comment 8 Miroslav Grepl 2010-01-08 13:27:01 UTC
Added to selinux-policy-3.6.32-68.fc12.noarch

Comment 9 Miroslav Grepl 2010-01-11 12:27:23 UTC
Fixed in selinux-policy-3.6.12-94.fc11.noarch

Comment 10 Fedora Update System 2010-01-19 20:03:57 UTC
selinux-policy-3.6.12-94.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-94.fc11

Comment 11 Fedora Update System 2010-01-21 00:11:35 UTC
selinux-policy-3.6.12-94.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0851

Comment 12 Mike Grant 2010-01-27 11:46:22 UTC
Creating / renaming mail folders now works in enforcing mode (selinux-policy-3.6.32-69.fc12.noarch) - thanks very much :)

Comment 13 Fedora Update System 2010-02-05 01:16:15 UTC
selinux-policy-3.6.12-94.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.