Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 781555

Summary: AVC denied for setattr for dovecot_t/dovecot_deliver_t in user_home_dir_t
Product: Red Hat Enterprise Linux 6 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: cww, dwalsh, jwest, mmalik, robert.scheck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-27 21:37:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 727267    

Description Robert Scheck 2012-01-13 17:28:10 UTC 
Description of problem:
The following AVC denied messages are showing up if Dovecot is configured
to put e-mails directly into /home/user_01:

type=AVC msg=audit(1326128547.426:35541): avc:  denied  { setattr } for  pid=15768 comm="imap" name="user_01" dev=drbd1 ino=270008321 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1326128547.426:35541): arch=c000003e syscall=92 success=no exit=-13 a0=12544e0 a1=1f4 a2=ffffffff a3=0 items=0 ppid=15746 pid=15768 auid=0 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=2428 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

type=AVC msg=audit(1326128978.045:35577): avc:  denied  { setattr } for  pid=15949 comm="dovecot-lda" name="user_01" dev=drbd1 ino=270008321 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1326128978.045:35577): arch=c000003e syscall=92 success=no exit=-13 a0=e0dbb0 a1=1f4 a2=ffffffff a3=fffffffb items=0 ppid=15948 pid=15949 auid=0 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=2428 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.4.noarch
selinux-policy-targeted-3.7.19-126.el6_2.4.noarch
dovecot-2.0.9-2.el6_1.1.x86_64

How reproducible:
Everytime, see above and below.

Actual results:
AVC denied for setattr for dovecot_t/dovecot_deliver_t in user_home_dir_t.

Expected results:
No AVC denied for the case mentioned above.

Additional info:
Maybe these exceptions need to go into a dovecot_enable_homedirs boolean?
Comment 2 Miroslav Grepl 2012-01-16 08:29:03 UTC 
We allow dovecot_deliver to manage user home content using 

userdom_manage_user_home_content_dirs(dovecot_deliver_t)
userdom_manage_user_home_content_files(dovecot_deliver_t)
userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)

The problem is the d-deliver tries to set attrs on /home/user_01 dir.
Comment 3 Robert Scheck 2012-01-16 09:28:23 UTC 
Normally, mails are delivered to /home/user_01/Mail or similar (user_home_t),
but in our case not, thus it is (user_home_dir_t) where the setattr is tried.
Comment 4 Daniel Walsh 2012-01-16 16:10:09 UTC 
Then you need to label /home/user_01 with something different the user_home_dir_t.  Have you tried to label it user_home_t?

semanage fcontext -a -t user_home_t /home/user_01(/.*)?
Comment 5 Robert Scheck 2012-01-21 12:41:06 UTC 
Does this really make sense or will this cause other issues? Because with
your suggestion, I'm overriding the default file contexts.
Comment 6 Daniel Walsh 2012-01-24 15:53:18 UTC 
You are overriding the default context for a directory that the system currently thinks is a homedir.  I believe this labeling is correct with this change.  The risk here is if  a user logs into this directory and creates subdirs they might not be labeled the way you would expect.
Comment 7 Miroslav Grepl 2012-02-27 21:37:31 UTC 
You will need test if it works. I am closing this bug because this is more the special configuration.