Bug 735876 - SELinux and dovecot's attempt access to conf. files. [NEEDINFO]
Summary: SELinux and dovecot's attempt access to conf. files.
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: i686
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-05 23:12 UTC by Sergey Korchak
Modified: 2013-10-24 18:10 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
SELinux is preventing / usr / bin / doveadm from getattr access on the directory / etc / dovecot. ***** Plugin catchall (100. Confidence) suggests *************************** If you believe that doveadm should be allowed getattr access on the dovecot directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # Grep doveadm / var / log / audit / audit.log | audit2allow-M mypol # Semodule-i mypol.pp Additional Information: Source Context system_u: system_r: httpd_sys_script_t: s0 Target Context system_u: object_r: dovecot_etc_t: s0 Targets / etc / dovecot [dir] Source doveadm Source path / usr / bin / doveadm Port <Unknown> Node gamma.localdomain Source package RPM dovecot-2.0.13-1.fc14 Target packages RPM dovecot-2.0.13-1.fc14 RPM policy selinux-policy-3.9.7-44.fc14 SELinux is active True Policy Type targeted Forced Mode Enforcing Site Name gamma.localdomain Platform Linux gamma.localdomain 2.6.35.14-95.fc14.i686 # 1 SMP Tue Aug 16 21:30:14 UTC 2011 i686 i686 Counter notifications 1 First seen on Tuesday September 6 2011 1:29:47 Last seen on Tuesday September 6 2011 1:29:47 Local ID f7aa686a-8fbe-4b93-838b-df673c67dd4d The raw audit messages type = AVC msg = audit (1315261787.325:35608): avc: denied {getattr} for pid = 3491 comm = "doveadm" path = "/ etc / dovecot" dev = dm-0 ino = 5768844 scontext = system_u: system_r: httpd_sys_script_t : s0 tcontext = system_u: object_r: dovecot_etc_t: s0 tclass = dir type = SYSCALL msg = audit (1315261787.325:35608): arch = i386 syscall = stat64 success = no exit = EACCES a0 = 900c1c0 a1 = bfea12b0 a2 = 350ff4 a3 = 46b056 items = 0 ppid = 2341 pid = 3491 auid = 4294967295 uid = 48 gid = 48 euid = suid = 48 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty = (none) ses = 4294967295 comm = doveadm exe = / usr / bin / doveadm subj = system_u: system_r: httpd_sys_script_t: s0 key = (null) Hash: doveadm, httpd_sys_script_t, dovecot_etc_t, dir, getattr audit2allow #============= Httpd_sys_script_t ============== allow httpd_sys_script_t dovecot_etc_t: dir getattr; audit2allow-R #============= Httpd_sys_script_t ============== allow httpd_sys_script_t dovecot_etc_t: dir getattr;
Clone Of:
Environment:
Last Closed: 2013-10-24 18:10:07 UTC
mgrepl: needinfo? (jackaloff)


Attachments (Terms of Use)
bug's files (26.84 KB, application/x-gzip)
2011-09-05 23:12 UTC, Sergey Korchak
no flags Details

Description Sergey Korchak 2011-09-05 23:12:10 UTC
Created attachment 521550 [details]
bug's files

Description of problem:

I have installed postfixdmin from project site. When postfixadmin tryes to execute  doveadm i got error kinda "can't encrypt password with dovecotpw" and 
SELinux tree alerts. After this tried to solve it as SETroublesoot recommends 
(# grep doveadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp)
but this did not helps.


Version-Release number of selected component (if applicable):

[root@gamma korchak]# uname -a
Linux gamma.localdomain 2.6.35.14-95.fc14.i686 #1 SMP Tue Aug 16 21:30:14 UTC 2011 i686 i686 i386 GNU/Linux
[root@gamma korchak]# dovecot --version
2.0.13

All last updates installed.


How reproducible:

install postfixadmin and use davecot with davecot's auth.
Try to fix SEAlert message after posfixadmin run.


Steps to Reproduce:
1. 
2.
3.
  
Actual results:

Deny to run doveadm util within apache.

Expected results:


Additional info:

Comment 1 Sergey Korchak 2011-09-05 23:21:48 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
SELinux is preventing / usr / bin / doveadm from getattr access on the directory / etc / dovecot.

***** Plugin catchall (100. Confidence) suggests ***************************

If you believe that doveadm should be allowed getattr access on the dovecot directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# Grep doveadm / var / log / audit / audit.log | audit2allow-M mypol
# Semodule-i mypol.pp

Additional Information:
Source Context system_u: system_r: httpd_sys_script_t: s0
Target Context system_u: object_r: dovecot_etc_t: s0
Targets / etc / dovecot [dir]
Source doveadm
Source path / usr / bin / doveadm
Port <Unknown>
Node gamma.localdomain
Source package RPM dovecot-2.0.13-1.fc14
Target packages RPM dovecot-2.0.13-1.fc14
RPM policy selinux-policy-3.9.7-44.fc14
SELinux is active True
Policy Type targeted
Forced Mode Enforcing
Site Name gamma.localdomain
Platform Linux gamma.localdomain 2.6.35.14-95.fc14.i686 # 1
                              SMP Tue Aug 16 21:30:14 UTC 2011 i686 i686
Counter notifications 1
First seen on Tuesday September 6 2011 1:29:47
Last seen on Tuesday September 6 2011 1:29:47
Local ID f7aa686a-8fbe-4b93-838b-df673c67dd4d

The raw audit messages
type = AVC msg = audit (1315261787.325:35608): avc: denied {getattr} for pid = 3491 comm = "doveadm" path = "/ etc / dovecot" dev = dm-0 ino = 5768844 scontext = system_u: system_r: httpd_sys_script_t : s0 tcontext = system_u: object_r: dovecot_etc_t: s0 tclass = dir


type = SYSCALL msg = audit (1315261787.325:35608): arch = i386 syscall = stat64 success = no exit = EACCES a0 = 900c1c0 a1 = bfea12b0 a2 = 350ff4 a3 = 46b056 items = 0 ppid = 2341 pid = 3491 auid = 4294967295 uid = 48 gid = 48 euid = suid = 48 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty = (none) ses = 4294967295 comm = doveadm exe = / usr / bin / doveadm subj = system_u: system_r: httpd_sys_script_t: s0 key = (null)

Hash: doveadm, httpd_sys_script_t, dovecot_etc_t, dir, getattr

audit2allow

#============= Httpd_sys_script_t ==============
allow httpd_sys_script_t dovecot_etc_t: dir getattr;

audit2allow-R

#============= Httpd_sys_script_t ==============
allow httpd_sys_script_t dovecot_etc_t: dir getattr;

Comment 2 Miroslav Grepl 2011-12-12 16:27:55 UTC
Looks like we need to add a new policy for postfixadmin. Which is path to  scripts?

Comment 3 Michal Hlavinka 2012-03-15 10:54:52 UTC
Miroslav:
looking at postfixadmin rpm from sourceforge, php scripts are located at /srv/www/htdocs/postfixadmin

Comment 4 Miroslav Grepl 2012-03-15 11:00:57 UTC
Sergey,
could you test it with permissive mode for httpd_sys_script_t

$ semanage permissive -a httpd_sys_script_t

re-test it

$ ausearch -m avc -ts recent

and attach AVC msgs.

Comment 5 Fedora End Of Life 2013-04-03 16:16:34 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19


Note You need to log in before you can comment on or make changes to this bug.