Hide Forgot
Description of problem: The following AVC denied messages are showing up if Dovecot is configured to cause a bounce if quota of a mailbox is reached: Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6_2.4.noarch selinux-policy-targeted-3.7.19-126.el6_2.4.noarch dovecot-2.0.9-2.el6_1.1.x86_64 How reproducible: Everytime, see above and below. Actual results: AVC denied for write for sendmail_t in dovecot_deliver_tmp_t Expected results: No AVC denied for the case mentioned above. Additional info: This should work and be allowed by default as it's a standard configuration situation.
Robert, could you paste AVC msgs? Thank you.
Oops, sorry! Of course: type=AVC msg=audit(1326132038.522:35678): avc: denied { write } for pid=16890 comm="sendmail" path=2F746D702F646F7665636F742E6C64612E65356564396337323234383434633265202864656C6574656429 dev=vda1 ino=413575 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:dovecot_deliver_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1326132038.522:35678): arch=c000003e syscall=59 success=yes exit=0 a0=8fdb08 a1=8fdb20 a2=946130 a3=10 items=0 ppid=16889 pid=16890 auid=0 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=2428 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
Is anything actually being blocked here. This looks like dovecot is simply redirecting stdout to a file in /tmp?
I think we can just dontaudit this. 43c317ec4406302a19c249e025117db98bc647c9
NO! Do not dontaudit this! This AVC denied is the "quota reached" bounce. This must be allowed. Or you make it a SELinux boolean. But never dontaudit it!
Ok so sendmail is actually going to write data to a file owned by dovecot?
After comment #7, I re-checked our setup and yes, the "quota reached" bounces work even if this is dontaudit rather allow. And I can't see any difference in the resulting e-mails and logs. So no, I don't have any idea, why /usr/sbin/sendmail.postfix wants to write to that file. I'm even now questioning if it should be really allowed to write... Maybe the Dovecot guys can clarify that, I've set "quota_full_tempfail = no" in /etc/dovecot/conf.d/15-lda.conf and tried to deliver a mail via dovecot-lda to a box which reached quota (requires some additional configuration).
I am guessing that it is either a leaked file descriptor or stdout is being set to this file and then sendmail is being executed. Since this access check is being called when sendmail is being executed it is definitely one or the other. type=SYSCALL msg=audit(01/09/2012 13:00:38.522:35678) : arch=x86_64 syscall=execve success=yes exit=0 a0=8fdb08 a1=8fdb20 a2=946130 a3=10 items=0 ppid=16889 pid=16890 auid=root uid=unknown(500) gid=users euid=unknown(500) suid=unknown(500) fsuid=unknown(500) egid=users sgid=users fsgid=users tty=(none) ses=2428 comm=sendmail exe=/usr/sbin/sendmail.postfix subj=unconfined_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(01/09/2012 13:00:38.522:35678) : avc: denied { write } for pid=16890 comm=sendmail path=/tmp/dovecot.lda.e5ed9c7224844c2e (deleted) dev=vda1 ino=413575 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:dovecot_deliver_tmp_t:s0 tclass=file THis is what the translated AVC looks like. syscall=exec, and the file is /tmp/doevecot.lda...
Fixed in selinux-policy-3.7.19-135.el6
The bug should be fixed now, but we aren't able to reproduce the bug even with older selinux-policy. Robert, could you please install the current selinux-policy and confirm the bug is really fixed? (the newest version is 3.7.19-143 and can be downloaded from here: http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ )
Yes, seems to work as expected (you need to configure dovecot accordingly for bounce behaviour if quota is reached - and dovecot-lda) for us. Thank you.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html
Not fixed as per selinux-policy-targeted-3.7.19-155.el6_3.14.noarch: type=AVC msg=audit(1360596937.025:30494): avc: denied { write } for pid=17618 comm="sendmail" path=2F746D702F646F7665636F742E6C64612E34303435633738396665633966643963202864656C6574656429 dev=vda1 ino=402356 scontext=system_u:system_r: sendmail_t:s0 tcontext=system_u:object_r:dovecot_deliver_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1360596937.025:30494): arch=c000003e syscall=59 success=yes exit=0 a0=193bed8 a1=193bef0 a2=1977e80 a3=7fffa9d42480 items=0 ppid=17616 pid=17618 auid=4294967295 uid=1664 gid=100 euid=1664 suid=1664 fsuid=1664 egid =100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:sendmail_t:s0 key=(null)
[root@tux ~]# doveconf -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.22.1.el6.x86_64 x86_64 Red Hat Enterprise Linux Server release 6.3 (Santiago) ext4 auth_mechanisms = plain login auth_verbose = yes auth_worker_max_count = 100 disable_plaintext_auth = no hostname = mail.example.net listen = 192.0.2.222 mail_location = mdbox:/home/%u mail_plugins = " quota" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mdbox_rotate_interval = 1 weeks mdbox_rotate_size = 10 M passdb { driver = pam } plugin { quota = dict:user::file:/home/%u/dovecot-quota quota_rule = *:storage=500M quota_rule2 = Trash:storage=+50M sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_max_script_size = 1M } postmaster_address = postmaster protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = root mode = 0666 user = root } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ssl_cert = </etc/pki/tls/certs/*.example.net_cert.pem.dovecot ssl_key = </etc/pki/tls/private/*.example.net_key.pem userdb { args = username_format=%u /etc/dovecot/users driver = passwd-file } protocol lda { mail_plugins = " quota quota sieve" } protocol imap { imap_client_workarounds = delay-newmail imap_logout_format = bytes=%i/%o mail_max_userip_connections = 10 mail_plugins = " quota imap_quota" } protocol sieve { managesieve_logout_format = bytes=%i/%o } protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_logout_format = bytes=%i/%o, del=%d/%m, size=%s } [root@tux ~]#
This looks like it is still broken.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html