Hide Forgot
Description of problem: The following AVC denied messages are showing up if Dovecot is configured to put e-mails directly into /home/user_01: type=AVC msg=audit(1326128547.426:35541): avc: denied { setattr } for pid=15768 comm="imap" name="user_01" dev=drbd1 ino=270008321 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1326128547.426:35541): arch=c000003e syscall=92 success=no exit=-13 a0=12544e0 a1=1f4 a2=ffffffff a3=0 items=0 ppid=15746 pid=15768 auid=0 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=2428 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(1326128978.045:35577): avc: denied { setattr } for pid=15949 comm="dovecot-lda" name="user_01" dev=drbd1 ino=270008321 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1326128978.045:35577): arch=c000003e syscall=92 success=no exit=-13 a0=e0dbb0 a1=1f4 a2=ffffffff a3=fffffffb items=0 ppid=15948 pid=15949 auid=0 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=2428 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6_2.4.noarch selinux-policy-targeted-3.7.19-126.el6_2.4.noarch dovecot-2.0.9-2.el6_1.1.x86_64 How reproducible: Everytime, see above and below. Actual results: AVC denied for setattr for dovecot_t/dovecot_deliver_t in user_home_dir_t. Expected results: No AVC denied for the case mentioned above. Additional info: Maybe these exceptions need to go into a dovecot_enable_homedirs boolean?
We allow dovecot_deliver to manage user home content using userdom_manage_user_home_content_dirs(dovecot_deliver_t) userdom_manage_user_home_content_files(dovecot_deliver_t) userdom_manage_user_home_content_symlinks(dovecot_deliver_t) userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) The problem is the d-deliver tries to set attrs on /home/user_01 dir.
Normally, mails are delivered to /home/user_01/Mail or similar (user_home_t), but in our case not, thus it is (user_home_dir_t) where the setattr is tried.
Then you need to label /home/user_01 with something different the user_home_dir_t. Have you tried to label it user_home_t? semanage fcontext -a -t user_home_t /home/user_01(/.*)?
Does this really make sense or will this cause other issues? Because with your suggestion, I'm overriding the default file contexts.
You are overriding the default context for a directory that the system currently thinks is a homedir. I believe this labeling is correct with this change. The risk here is if a user logs into this directory and creates subdirs they might not be labeled the way you would expect.
You will need test if it works. I am closing this bug because this is more the special configuration.