Hide Forgot
Description of problem: I have configured dovecot lmtp as virtual delivery agent on my postfix based mailserver. Dovecot additionally has sieve (via dovecot-pigeonhole) enabled and I'm using a sieve script to setup a vacation message using the sieve vacation plugin. Whenever a message arrives for the account with an active vacation sieve script, the message is delivered, but the vacation auto reply is not. The core reason seems to be that dovecot lmtp doesn't have exec access on /usr/sbin/sendmail.postfix due to the current selinux policy. Version-Release number of selected component (if applicable): dovecot-2.0.9-2.el6_1.1.x86_64 dovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 selinux-policy-targeted-3.7.19-126.el6_2.10.noarch How reproducible: Always Steps to Reproduce: 1. setup sieve for dovecot and setup a vacation sieve script for a user (I used the example script from http://wiki2.dovecot.org/Pigeonhole/Sieve/Examples) 2. send a mail to the user for which a vacation message is active Actual results: Vacation reply message isn't sent. This is found in the maillog (I filtered to the relevant dovecot messages only): Mar 30 21:37:59 abmpub6 dovecot: lmtp(6626): Connect from local Mar 30 21:37:59 abmpub6 dovecot: lmtp(6626, recipient): Fatal: execv(/usr/sbin/sendmail) failed: Permission denied Mar 30 21:37:59 abmpub6 dovecot: lmtp(6626, recipient): Error: Sendmail process terminated abnormally, exit status 84 Mar 30 21:37:59 abmpub6 dovecot: lmtp(6626, recipient): Error: JBO/MowKdk/iGQAAZsTLbA: sieve: msgid=<20120330193759.7CA7758855A>: failed to send vacation response to <sender> (refer to server log for more information) This is accompanied by the following selinux messages in audit.log: type=AVC msg=audit(1333136279.642:112177): avc: denied { execute } for pid=6653 comm="lmtp" name="sendmail.postfix" dev=xvda ino=7422495 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file type=SYSCALL msg=audit(1333136279.642:112177): arch=c000003e syscall=59 success=no exit=-13 a0=ccd270 a1=ccd288 a2=0 a3=34ac017240 items=0 ppid=6626 pid=6653 auid=501 uid=0 gid=10001 euid=10001 suid=0 fsuid=10001 egid=10001 sgid=10001 fsgid=10001 tty=(none) ses=707 comm="lmtp" exe="/usr/libexec/dovecot/lmtp" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) Expected results: The automatic vacation reply is sent successfully.
We have optional_policy(` # Handle sieve scripts sendmail_domtrans(dovecot_deliver_t) ') So we probably need it also for dovecot_t.
Could you test it with the following local policy # cat mydovecot.te policy_module(mydovecot, 1.0) require{ type dovecot_t; } optional_policy(` # Handle sieve scripts sendmail_domtrans(dovecot_t) ') and then execute # make -f /usr/share/selinux/devel/Makefile mydovecot.pp # semodule -i dovecot.pp
When I install that policy, the mail forwarding sieve script works fine. Thanks.
Great, thank you.
I wonder, when the new policy package gets pushed to the update repos, should I remove my local policy myself again or will this be done during the update ?
You will need to remove it, although it would not matter, since we allow duplicate allows.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html