Bug 830611 - selinux policy prevents dovecot domains access to mail_home_rw_t (Maildir)
Summary: selinux policy prevents dovecot domains access to mail_home_rw_t (Maildir)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 835906 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-10 23:54 UTC by Scott Shambarger
Modified: 2012-07-19 09:16 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 836241 (view as bug list)
Environment:
Last Closed: 2012-06-30 21:51:14 UTC
Type: Bug


Attachments (Terms of Use)
Patch to policy/modules/services/dovecot.te (911 bytes, patch)
2012-06-19 21:04 UTC, Scott Shambarger
no flags Details | Diff

Description Scott Shambarger 2012-06-10 23:54:38 UTC
Description of problem:
dovecot-imap and dovecot-lda are not allowed access to Maildir files/directories once they've been labeled mail_home_rw_t (via current targeted/contexts/files/file_contexts)

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-129.fc17

How reproducible:
Always with selinux enabled

Steps to Reproduce:
1. run restorecon -r /home with selinux enabled
2. configure dovecot with "mail_location = maildir:~/Maildir"
3. enable/start dovecot.service
4. attempt to access/modify a users mailbox
5. enable 
5. access is denied

Actual results:
Example denials...

avc:  denied  { open } for  pid=26649 comm="imap" name="dovecot.index.log" dev="dm-3" ino=5768536 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file

avc:  denied  { getattr } for  pid=26666 comm="dovecot-lda" path="/home/scott/Maildir" dev="dm-3" ino=6029316 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir

avc:  denied  { read } for  pid=27907 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file
Expected results:

Access should be allowed.

Additional info:
I read through the source policy, and there appear to be missing entries in services/dovecot.te.  I added the following to a custom module, and once loaded the above denials disappeared:

#======temp fix: dovecot-lda can't manage mail_home_rw_t=====
mta_mailserver_delivery(dovecot_deliver_t)
#======temp fix: imap can't manage mail_home_rw_t=====
mta_mailserver_delivery(dovecot_t)
#====temp fix: symlinks can't be read in Maildir=====
read_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)

I've tried the latest selinux policy from Koji (-129 atm), and the above workaround is still required or the denials above are still encountered.

Comment 1 Miroslav Grepl 2012-06-11 09:24:12 UTC
This is fixed in F18. Fixing also in F17.

Fixed in selinux-policy-3.10.0-130.fc17

Comment 2 Fedora Update System 2012-06-11 21:02:26 UTC
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17

Comment 3 Scott Shambarger 2012-06-11 21:26:00 UTC
Installed and tested -130, but problem is still present.

I see from the source file that mta_read_home_rw() is set for dovecot_t and dovecot_deliver_t, but these only allow read access from those domains.

dovecot allows message move, delete, index creation, even directory creation (and supports reading symlinks for mailbox aliases, although not creating them).

Example denials that remain:

avc:  denied  { write } for  pid=6009 comm="imap" name="dovecot.index.log" dev="dm-3" ino=6422913 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=file

avc:  denied  { rename } for  pid=6009 comm="imap" name="1339449041.M782844P6009.shambarger.net" dev="dm-3" ino=6450101 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file

avc:  denied  { read } for  pid=5985 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file

So dovecot does require the 3 entries (or their equivalent) in the bug description above.  Please let me know if there's another configuration option (perhaps a boolean) that I'm missing to permit dovecot r/w access to the Maildir directory :)

Comment 4 Miroslav Grepl 2012-06-12 11:46:47 UTC
Ok, so it needs r/w.

Comment 5 Fedora Update System 2012-06-15 23:59:24 UTC
Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).

Comment 6 Scott Shambarger 2012-06-16 20:35:51 UTC
See comment 3, selinux-policy-3.10.0-130 still does not permit r/w access -- the 3 line fix in the bug description is all that's required :)

Comment 7 Fedora Update System 2012-06-17 00:04:23 UTC
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Scott Shambarger 2012-06-17 09:10:29 UTC
Bug has not been solved (for reasons listed above).  Should not be closed until resolved.

Comment 9 Miroslav Grepl 2012-06-18 16:23:18 UTC
Fixed in selinux-policy-3.10.0-131.fc17

Comment 10 Fedora Update System 2012-06-19 07:58:13 UTC
selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17

Comment 11 Scott Shambarger 2012-06-19 21:03:25 UTC
Tried selinux-policy-3.10.0-132, and dovecot_deliver_t still doesn't have Read/Write access to mail_home_rw_t... And neither dovecot_t nor dovecot_deliver_t have read access to symlinks.  From audit2allow:

#============= dovecot_deliver_t ==============
allow dovecot_deliver_t mail_home_rw_t:dir { write remove_name read add_name };
allow dovecot_deliver_t mail_home_rw_t:file { write rename create unlink setattr };
allow dovecot_deliver_t mail_home_rw_t:lnk_file read;

#============= dovecot_t ==============
allow dovecot_t mail_home_rw_t:lnk_file read;

I've checked the source package, and will attach a patch for policy/modules/services/dovecot.te

Comment 12 Scott Shambarger 2012-06-19 21:04:08 UTC
Created attachment 593070 [details]
Patch to policy/modules/services/dovecot.te

Comment 13 Scott Shambarger 2012-06-19 21:06:16 UTC
Note: in patch I removed mta_read_home_rw(dovecot_t) as it's a subset of the already included mta_manage_home_rw(dovecot_t)

Comment 14 Daniel Walsh 2012-06-19 21:17:03 UTC
Miroslav please back port cffaac2f88d8d771da6d8b0262678201f67b68f4

Comment 15 Fedora Update System 2012-06-20 00:28:37 UTC
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Scott Shambarger 2012-06-20 02:52:46 UTC
As listed above, still not fixed in 3.10.0-132

Comment 17 Miroslav Grepl 2012-06-20 08:24:42 UTC
Yes, the problem is I did not remove this bug from the update system.

Fixed in 3.10.0-133

Comment 18 Scott Shambarger 2012-06-23 00:04:16 UTC
3.10.0-133 appears to fix the problem!  Tested all my problem cases, and no denials appeared. :)

Thanks!
Scott

Comment 19 Fedora Update System 2012-06-26 21:47:28 UTC
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17

Comment 20 Fedora Update System 2012-06-28 03:37:16 UTC
Package selinux-policy-3.10.0-134.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17
then log in and leave karma (feedback).

Comment 21 Till Maas 2012-06-28 19:20:40 UTC
*** Bug 835906 has been marked as a duplicate of this bug. ***

Comment 22 Fedora Update System 2012-06-30 21:51:14 UTC
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2012-07-19 09:16:28 UTC
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.