SELinux is preventing /usr/libexec/dovecot/dovecot-lda from 'getattr' accesses on the directory /var/lib/logcheck. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that dovecot-lda should be allowed getattr access on the logcheck directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/libexec/dovecot/dovecot-lda /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dovecot_deliver_t:s0 Target Context system_u:object_r:logwatch_cache_t:s0 Target Objects /var/lib/logcheck [ dir ] Source deliver Source Path /usr/libexec/dovecot/dovecot-lda Port <Unknown> Host (removed) Source RPM Packages dovecot-2.0.8-2.fc14 Target RPM Packages logcheck-1.3.13-4.fc14 Policy RPM selinux-policy-3.9.7-19.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-72.fc14.i686.PAE #1 SMP Mon Dec 20 21:47:25 UTC 2010 i686 i686 Alert Count 701 First Seen Tue 04 Jan 2011 02:02:06 PM EST Last Seen Thu 06 Jan 2011 02:55:26 PM EST Local ID 43a5545a-83d0-43a5-8b19-7a3a92a844ea Raw Audit Messages type=AVC msg=audit(1294286126.419:24945): avc: denied { getattr } for pid=26452 comm="deliver" path="/var/lib/logcheck" dev=dm-0 ino=1180430 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir deliver,dovecot_deliver_t,logwatch_cache_t,dir,getattr type=SYSCALL msg=audit(1294286126.419:24945): arch=i386 syscall=stat64 success=no exit=EACCES a0=995e420 a1=bff79e5c a2=65bff4 a3=8494f4 items=0 ppid=26436 pid=26452 auid=4294967295 uid=482 gid=467 euid=482 suid=482 fsuid=482 egid=467 sgid=467 fsgid=467 tty=(none) ses=4294967295 comm=deliver exe=/usr/libexec/dovecot/dovecot-lda subj=system_u:system_r:dovecot_deliver_t:s0 key=(null) deliver,dovecot_deliver_t,logwatch_cache_t,dir,getattr #============= dovecot_deliver_t ============== allow dovecot_deliver_t logwatch_cache_t:dir getattr;
Any idea why is dovecot-deliver trying to get information about the /var/lib/logcheck directory? If you execute # semanage permissive -a dovecot_deliver_t do you get more AVC messages?
As far as I can see there is no reason for dovecot to access the logcheck directory. The bug should be Dovecot is trying to access the logcheck directory when it shouldn't be. I have run the command after rebooting the server. The last error message was at 19:34 local, about an hour ago. I am now seeing entries for: "SELinux is preventing /usr/libexec/postfix/local from search access on the directory /var/lib/logcheck. For complete SELinux messages. run sealert...." sealert message is: SELinux is preventing /usr/libexec/postfix/local from search access on the directory /var/lib/logcheck. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that local should be allowed search access on the logcheck directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/libexec/postfix/local /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Again postfix should not be accessing the directory. The only thing I can think of is that I have added the user logcheck to the root group to allow it access to the /var/log/messages and /var/log/audit log files. That was due to the install of logcheck not setting access for logcheck to the specified files.
Looks like it relates with your logcheck account. Could you add your outputs of # grep logcheck /etc/passwd # doveconf -n
[root@icebox ~]# grep logcheck /etc/passwd logcheck:x:482:467:Logcheck user:/var/lib/logcheck:/sbin/nologin [root@icebox ~]# doveconf -n # 2.0.8: /etc/dovecot/dovecot.conf # OS: Linux 2.6.35.10-74.fc14.i686.PAE i686 Fedora release 14 (Laughlin) mbox_write_locks = fcntl passdb { driver = pam } ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd } [root@icebox ~]# exit
Ok, now it is clear. /var/lib/logcheck is home dir and dovecot-lda checks this home dir.
You can allow it using # grep logwatch_cache_t /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Of course! That make sense that Dovecot would be checking home directories for mail files. I will make the selinux policy as a work around while I check out the options in dovecot to exclude no login users from being checked for mail files. If a vulnerablility was exploited in Dovecot, having selinux permissions to logcheck is probably not a really good idea. You don't have the same problem with Tripwire as it has no seperate user account.
The local policy will allow getattr on the directory. I do not want to allow dovecot-lda to read/write or manage logcheck/logwatch cache directories/files at all. The exclude option looks good.
(In reply to comment #8) > Of course! That make sense that Dovecot would be checking home directories for > mail files. I will make the selinux policy as a work around while I check out > the options in dovecot to exclude no login users from being checked for mail > files. btw, this won't work. dovecot does not try to check all users home dirs to find where is any mail box. It checks users directory *only* when it was asked to deliver email to that user and in that case it needs to check it. If you don't want this to happen: A)make sure no one sends email to that user, B)explicitly specify mail location so dovecot does not have to guess it
Did we solve this problem?
I believe the solution is described in the comment #10.