Bug 559487 - SELinux is preventing /usr/sbin/dovecot "create" access on dovecot.conf.
Summary: SELinux is preventing /usr/sbin/dovecot "create" access on dovecot.conf.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:e1fc0b0dfde...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-01-28 09:59 UTC by Michal Schmidt
Modified: 2010-02-11 14:41 UTC (History)
2 users (show)

Fixed In Version: 3.6.32-84.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-02-11 14:41:02 UTC

Attachments (Terms of Use)

Description Michal Schmidt 2010-01-28 09:59:50 UTC
Since an update from dovecot-1.2.9 to dovecot-1.2.10 I'm getting this denial on start of the daemon. Dovecot wants to create a symlink in /var/run/dovecot since this upstream change:


SELinux is preventing /usr/sbin/dovecot "create" access on dovecot.conf.

Podrobný popis:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by dovecot. It is not expected that this access
is required by dovecot and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Další informace:

Kontext zdroje                unconfined_u:system_r:dovecot_t:s0
Kontext cíle                 unconfined_u:object_r:dovecot_var_run_t:s0
Objekty cíle                 dovecot.conf [ lnk_file ]
Zdroj                         dovecot
Cesta zdroje                  /usr/sbin/dovecot
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          dovecot-1.2.10-1.fc12
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.32-73.fc12
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed) #1 SMP Mon Jan
                              25 22:41:54 UTC 2010 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Čt 28. leden 2010, 10:42:25 CET
Naposledy viděno             Čt 28. leden 2010, 10:43:34 CET
Místní ID                   2fab3752-3d51-4dfe-afe7-708469612ccb
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1264671814.489:24034): avc:  denied  { create } for  pid=6455 comm="dovecot" name="dovecot.conf" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:dovecot_var_run_t:s0 tclass=lnk_file

node=(removed) type=SYSCALL msg=audit(1264671814.489:24034): arch=c000003e syscall=88 success=yes exit=0 a0=423c55 a1=6eb1a0 a2=2 a3=7fffc3ea6660 items=0 ppid=1 pid=6455 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

Hash String generated from  selinux-policy-3.6.32-73.fc12,catchall,dovecot,dovecot_t,dovecot_var_run_t,lnk_file,create
audit2allow suggests:

#============= dovecot_t ==============
allow dovecot_t dovecot_var_run_t:lnk_file create;

Comment 1 Michal Schmidt 2010-01-28 10:14:46 UTC
Note that on shutdown dovecot will also require the "unlink" permission to remove the symlink.

Comment 2 Miroslav Grepl 2010-01-28 12:11:53 UTC
Fixed in selinux-policy-3.6.32-78.fc12

selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12.

Comment 3 Fedora Update System 2010-02-03 23:19:01 UTC
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12.

Comment 4 Fedora Update System 2010-02-05 01:43:30 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492

Comment 5 Fedora Update System 2010-02-11 14:36:13 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.