Bug 620213 - Selinux blocks doevecot
Selinux blocks doevecot
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks: F14Target
  Show dependency treegraph
 
Reported: 2010-08-01 11:11 EDT by Nicolas Mailhot
Modified: 2010-08-03 15:19 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-03 15:19:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2010-08-01 11:11:00 EDT
#/etc/init.d/dovecot start
Démarrage de Dovecot Imap :                                [ÉCHOUÉ]

Aug  1 17:06:01 arekh kernel: type=1400 audit(1280675161.972:18): avc:  denied  { search } for  pid=2440 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  1 17:06:01 arekh kernel: type=1400 audit(1280675161.972:19): avc:  denied  { search } for  pid=2440 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  1 17:06:01 arekh kernel: type=1400 audit(1280675161.972:20): avc:  denied  { search } for  pid=2440 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir


# setenforce permissive
# /etc/init.d/dovecot start
Démarrage de Dovecot Imap : doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:21: protocols=imaps is no longer supported. to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:99: ssl_cert_file has been replaced by ssl_cert = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:100: ssl_key_file has been replaced by ssl_key = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:112: ssl_ca_file has been replaced by ssl_ca = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:703: protocol managesieve {} has been replaced by protocol sieve { }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:869: add auth_ prefix to all settings inside auth {} and remove the auth {} section completely
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:907: passdb pam {} has been replaced by passdb { driver=pam }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1019: userdb passwd {} has been replaced by userdb { driver=passwd }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1081: auth_user has been replaced by service auth { user }
                                                           [  OK  ]

Aug  1 17:06:11 arekh dbus: avc:  received setenforce notice (enforcing=0)
Aug  1 17:06:11 arekh dbus: avc:  received setenforce notice (enforcing=0)
Aug  1 17:06:11 arekh kernel: type=1404 audit(1280675171.910:21): enforcing=0 old_enforcing=1 auid=500 ses=1
Aug  1 17:06:14 arekh kernel: type=1400 audit(1280675174.357:22): avc:  denied  { search } for  pid=2447 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir

BTW sealert didn't trigger so it's likely broken too

libselinux-2.0.96-3.fc14.x86_64
selinux-policy-targeted-3.8.8-8.fc14.noarch
libselinux-python-2.0.96-3.fc14.x86_64
selinux-policy-3.8.8-8.fc14.noarch
libselinux-utils-2.0.96-3.fc14.x86_64
dovecot-2.0-0.19.rc3.fc14.x86_64
setroubleshoot-server-2.2.91-2.fc14.x86_64
setroubleshoot-2.2.91-2.fc14.x86_64
setroubleshoot-plugins-2.1.55-1.fc14.noarch
Comment 1 Daniel Walsh 2010-08-03 14:46:51 EDT
Please test this in a directory other then /etc/dovecod or use the service script

cd / 
/etc/init.d/dovecot start

or 


service dovecot start
Comment 2 Nicolas Mailhot 2010-08-03 15:04:52 EDT
(In reply to comment #1)
> Please test this in a directory other then /etc/dovecod

This was already the case

> or use the service
> script
> 
> cd / 
> /etc/init.d/dovecot start
> 
> or 
> 
> 
> service dovecot start    

# export LANG=C
# cd /
 /etc/init.d/dovecot start
Starting Dovecot Imap:                                     [FAILED]
# service dovecot start    
Démarrage de Dovecot Imap :                                [ÉCHOUÉ]

Aug  3 21:01:55 arekh dbus: avc:  received setenforce notice (enforcing=1)
Aug  3 21:01:56 arekh dbus: [system] Reloaded configuration
Aug  3 21:02:04 arekh kernel: type=1400 audit(1280862124.759:41): avc:  denied  { search } for  pid=29575 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:04 arekh kernel: type=1400 audit(1280862124.759:42): avc:  denied  { search } for  pid=29575 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:04 arekh kernel: type=1400 audit(1280862124.759:43): avc:  denied  { search } for  pid=29575 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:41 arekh kernel: type=1400 audit(1280862161.456:44): avc:  denied  { search } for  pid=29595 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:41 arekh kernel: type=1400 audit(1280862161.457:45): avc:  denied  { search } for  pid=29595 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:41 arekh kernel: type=1400 audit(1280862161.457:46): avc:  denied  { search } for  pid=29595 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:50 arekh kernel: type=1400 audit(1280862170.688:47): avc:  denied  { search } for  pid=29606 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:50 arekh kernel: type=1400 audit(1280862170.688:48): avc:  denied  { search } for  pid=29606 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Aug  3 21:02:50 arekh kernel: type=1400 audit(1280862170.688:49): avc:  denied  { search } for  pid=29606 comm="dovecot" name="dovecot" dev=dm-1 ino=2113317 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=dir
Comment 3 Daniel Walsh 2010-08-03 15:19:34 EDT
Fixed in selinux-policy-3.8.8-9.fc14

Note You need to log in before you can comment on or make changes to this bug.