Created attachment 365302 [details] dovecot configuration Description of problem: NFSv4 sec=krb5p export of home directories from another system. Dovecot configured for gssapi authn. NSS userdb with mail_location = maildir:~/Maildir:LAYOUT=fs. Version-Release number of selected component (if applicable): dovecot-1.2.5-1.fc11.x86_64 selinux-policy-targeted-3.6.12-85.fc11.noarch How reproducible: Very Steps to Reproduce: 1. Mount a nfsv4 sec=krb5p /home 2. configure dovecot for maildir:~/Maildir:LAYOUT=fs 3. Attempt to access imap server Actual results: /var/log/maillog: Oct 19 22:04:33 abcd dovecot: Dovecot v1.2.5 starting up (core dumps disabled) Oct 19 22:04:43 abcd dovecot: imap-login: Login: user=<xxxxxxxx>, method=GSSAPI, rip=xxx.xxx.xxx.xxx, lip=yyy.yyy.yyy.yyy, TLS Oct 19 22:04:43 abcd dovecot: IMAP(xxxxxxxx): mkdir(/home/xxxxxxxx/Maildir/INBOX/cur) failed: Permission denied (euid=1000(xxxxxxxx) egid=1000(xxxxxxxx) missing +w perm: /home/xxxxxxxx) /var/log/messages: Oct 19 22:04:50 abcd setroubleshoot: SELinux prevented imap from reading and writing files stored on a NFS filesytem. For complete SELinux messages. run sealert -l 8b128e4f-4ab2-4c6a-a759-7d66d634c193 # sealert -l 8b128e4f-4ab2-4c6a-a759-7d66d634c193 Summary: SELinux prevented imap from reading and writing files stored on a NFS filesytem. Detailed Description: SELinux prevented imap from reading and writing files stored on a NFS ... from a NFS filesystem this access attempt could signal an intrusion attempt. Allowing Access: Changing the "use_nfs_home_dirs" boolean to true will allow this access: "setsebool -P use_nfs_home_dirs=1" Fix Command: setsebool -P use_nfs_home_dirs=1 Additional Information: Source Context unconfined_u:system_r:dovecot_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects xxxxxxxx [ dir ] Source imap Source Path /usr/libexec/dovecot/imap Port <Unknown> Host abcd.defg.com Source RPM Packages dovecot-1.2.5-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-85.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name use_nfs_home_dirs Host Name abcd.defg.com Platform Linux abcd.defg.com 2.6.30.8-64.fc11.x86_64 #1 SMP Fri Sep 25 04:43:32 EDT 2009 x86_64 x86_64 Alert Count 8 First Seen Mon Oct 19 22:01:03 2009 Last Seen Mon Oct 19 22:04:43 2009 Local ID 8b128e4f-4ab2-4c6a-a759-7d66d634c193 Line Numbers Raw Audit Messages node=abcd.defg.com type=AVC msg=audit(1256004283.609:79): avc: denied { write } for pid=3506 comm="imap" name="xxxxxxxx" dev=0:14 ino=65537 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir node=abcd.defg.com type=SYSCALL msg=audit(1256004283.609:79): arch=c000003e syscall=21 success=no exit=-13 a0=1e30730 a1=2 a2=1e30490 a3=7fffd86ca810 items=0 ppid=3497 pid=3506 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=5 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) # getsebool use_nfs_home_dirs use_nfs_home_dirs --> on Expected results: No AVC denial, dovecot process allowed to read/write to ~/Maildir effectivly as the user euid=1000(xxxxxxxx) egid=1000(xxxxxxxx). Additional info: Restarted NFS and dovecot services after setting use_nfs_home_dirs --> on Setting selinux into permissive mode allows dovecot to do what it needs to in ~/Maildir and appears to function normally.
Is this a normal/common way to setup dovecot?
Fixed in selinux-policy-3.6.32-30.fc12.noarch
Still seeing something like this with selinux-policy-3.6.32-56.fc12.noarch (Fedora 12 updates). Our configuration is a little different (NFSv3, NIS auth, otherwise similar) but probably not in the significant aspects. Works fine in permissive mode. ------------- Summary: SELinux prevented imap from reading and writing files stored on a NFS filesytem. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux prevented imap from reading and writing files stored on a NFS filesystem. NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux systems. imap attempted to read one or more files or directories from a mounted filesystem of this type. As NFS filesystems do not support fine-grained SELinux labeling, all files and directories in the filesystem will have the same security context. If you have not configured imap to read files from a NFS filesystem this access attempt could signal an intrusion attempt. Allowing Access: Changing the "use_nfs_home_dirs" boolean to true will allow this access: "setsebool -P use_nfs_home_dirs=1" Fix Command: setsebool -P use_nfs_home_dirs=1 Additional Information: Source Context unconfined_u:system_r:dovecot_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects new [ dir ] Source imap Source Path /usr/libexec/dovecot/imap Port <Unknown> Host pmpc889.npm.ac.uk Source RPM Packages dovecot-1.2.8-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-56.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name use_nfs_home_dirs Host Name pmpc889.npm.ac.uk Platform Linux pmpc889.npm.ac.uk 2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Tue Dec 22 19:09:30 2009 Last Seen Tue Dec 22 19:09:30 2009 Local ID 0e380510-2bee-42c8-a2a3-d300f2791f0d Line Numbers Raw Audit Messages node=pmpc889.npm.ac.uk type=AVC msg=audit(1261508970.906:304022): avc: denied { write } for pid=23592 comm="imap" name="new" dev=0:1d ino=55870087 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir node=pmpc889.npm.ac.uk type=SYSCALL msg=audit(1261508970.906:304022): arch=c000003e syscall=92 success=yes exit=0 a0=a2a370 a1=ffffffff a2=ffffffff a3=fffffff7 items=0 ppid=23261 pid=23592 auid=17079 uid=17079 gid=15057 euid=17079 suid=17079 fsuid=17079 egid=15057 sgid=15057 fsgid=15057 tty=(none) ses=7380 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
Your right. I gave the permission to dovecot-deliver. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-63.fc12.noarch
Confirmed working in enforcing mode with selinux-policy-3.6.32-63.fc12.noarch. Thanks very much :)
Oops, working except for creating / renaming mail folders. use_nfs_home_dirs is on. = creation = Summary: SELinux prevented imap from reading and writing files stored on a NFS filesytem. Allowing Access: Changing the "use_nfs_home_dirs" boolean to true will allow this access: "setsebool -P use_nfs_home_dirs=1" Additional Information: Source Context unconfined_u:system_r:dovecot_t:s0 Target Context unconfined_u:object_r:nfs_t:s0 Target Objects .Mailing lists.test [ dir ] Source imap Source Path /usr/libexec/dovecot/imap Port <Unknown> Host pmpc889.npm.ac.uk Source RPM Packages dovecot-1.2.9-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name use_nfs_home_dirs Host Name pmpc889.npm.ac.uk Platform Linux pmpc889.npm.ac.uk 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 Alert Count 1 First Seen Thu 07 Jan 2010 10:46:46 GMT Last Seen Thu 07 Jan 2010 10:46:46 GMT Local ID a4c16790-18c4-4654-be85-d6e80b651ee9 Line Numbers Raw Audit Messages node=pmpc889.npm.ac.uk type=AVC msg=audit(1262861206.416:16140): avc: denied { create } for pid=17683 comm="imap" name=2E4D61696C696E67206C697374732E74657374 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:nfs_t:s0 tclass=dir node=pmpc889.npm.ac.uk type=SYSCALL msg=audit(1262861206.416:16140): arch=c000003e syscall=83 success=no exit=-13 a0=281a4e8 a1=1c0 a2=ffffffff a3=676e696c69614d2e items=0 ppid=11886 pid=17683 auid=17079 uid=17079 gid=15057 euid=17079 suid=17079 fsuid=17079 egid=15057 sgid=15057 fsgid=15057 tty=(none) ses=62 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) = rename (move) = Additional Information: Source Context unconfined_u:system_r:dovecot_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects .Mailing lists.NDG.Fullmoon [ dir ] Source imap Source Path /usr/libexec/dovecot/imap Port <Unknown> Host pmpc889.npm.ac.uk Source RPM Packages dovecot-1.2.9-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name use_nfs_home_dirs Host Name pmpc889.npm.ac.uk Platform Linux pmpc889.npm.ac.uk 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 Alert Count 1 First Seen Thu 07 Jan 2010 10:45:44 GMT Last Seen Thu 07 Jan 2010 10:45:44 GMT Local ID 0694f8c2-36ed-4d52-9649-4161be5739be Line Numbers Raw Audit Messages node=pmpc889.npm.ac.uk type=AVC msg=audit(1262861144.928:16139): avc: denied { rename } for pid=17683 comm="imap" name=2E4D61696C696E67206C697374732E4E44472E46756C6C6D6F6F6E dev=0:1d ino=55870717 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir node=pmpc889.npm.ac.uk type=SYSCALL msg=audit(1262861144.928:16139): arch=c000003e syscall=82 success=no exit=-13 a0=281a468 a1=281a4a0 a2=281a010 a3=ffffffea items=0 ppid=11886 pid=17683 auid=17079 uid=17079 gid=15057 euid=17079 suid=17079 fsuid=17079 egid=15057 sgid=15057 fsgid=15057 tty=(none) ses=62 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
Oops, Miroslav need to add fs_manage_nfs_dirs(dovecot_deliver_t) fs_manage_nfs_dirs(dovecot_t) ... fs_manage_cifs_dirs(dovecot_deliver_t) fs_manage_cifs_dirs(dovecot_t) BTW, These sections need to be added to RHEL5, as well as F11, and F12.
Added to selinux-policy-3.6.32-68.fc12.noarch
Fixed in selinux-policy-3.6.12-94.fc11.noarch
selinux-policy-3.6.12-94.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-94.fc11
selinux-policy-3.6.12-94.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0851
Creating / renaming mail folders now works in enforcing mode (selinux-policy-3.6.32-69.fc12.noarch) - thanks very much :)
selinux-policy-3.6.12-94.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.