Description of problem: dovecot-imap and dovecot-lda are not allowed access to Maildir files/directories once they've been labeled mail_home_rw_t (via current targeted/contexts/files/file_contexts) Version-Release number of selected component (if applicable): selinux-policy-3.10.0-129.fc17 How reproducible: Always with selinux enabled Steps to Reproduce: 1. run restorecon -r /home with selinux enabled 2. configure dovecot with "mail_location = maildir:~/Maildir" 3. enable/start dovecot.service 4. attempt to access/modify a users mailbox 5. enable 5. access is denied Actual results: Example denials... avc: denied { open } for pid=26649 comm="imap" name="dovecot.index.log" dev="dm-3" ino=5768536 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file avc: denied { getattr } for pid=26666 comm="dovecot-lda" path="/home/scott/Maildir" dev="dm-3" ino=6029316 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir avc: denied { read } for pid=27907 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file Expected results: Access should be allowed. Additional info: I read through the source policy, and there appear to be missing entries in services/dovecot.te. I added the following to a custom module, and once loaded the above denials disappeared: #======temp fix: dovecot-lda can't manage mail_home_rw_t===== mta_mailserver_delivery(dovecot_deliver_t) #======temp fix: imap can't manage mail_home_rw_t===== mta_mailserver_delivery(dovecot_t) #====temp fix: symlinks can't be read in Maildir===== read_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) I've tried the latest selinux policy from Koji (-129 atm), and the above workaround is still required or the denials above are still encountered.
This is fixed in F18. Fixing also in F17. Fixed in selinux-policy-3.10.0-130.fc17
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Installed and tested -130, but problem is still present. I see from the source file that mta_read_home_rw() is set for dovecot_t and dovecot_deliver_t, but these only allow read access from those domains. dovecot allows message move, delete, index creation, even directory creation (and supports reading symlinks for mailbox aliases, although not creating them). Example denials that remain: avc: denied { write } for pid=6009 comm="imap" name="dovecot.index.log" dev="dm-3" ino=6422913 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=file avc: denied { rename } for pid=6009 comm="imap" name="1339449041.M782844P6009.shambarger.net" dev="dm-3" ino=6450101 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file avc: denied { read } for pid=5985 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file So dovecot does require the 3 entries (or their equivalent) in the bug description above. Please let me know if there's another configuration option (perhaps a boolean) that I'm missing to permit dovecot r/w access to the Maildir directory :)
Ok, so it needs r/w.
Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback).
See comment 3, selinux-policy-3.10.0-130 still does not permit r/w access -- the 3 line fix in the bug description is all that's required :)
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Bug has not been solved (for reasons listed above). Should not be closed until resolved.
Fixed in selinux-policy-3.10.0-131.fc17
selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17
Tried selinux-policy-3.10.0-132, and dovecot_deliver_t still doesn't have Read/Write access to mail_home_rw_t... And neither dovecot_t nor dovecot_deliver_t have read access to symlinks. From audit2allow: #============= dovecot_deliver_t ============== allow dovecot_deliver_t mail_home_rw_t:dir { write remove_name read add_name }; allow dovecot_deliver_t mail_home_rw_t:file { write rename create unlink setattr }; allow dovecot_deliver_t mail_home_rw_t:lnk_file read; #============= dovecot_t ============== allow dovecot_t mail_home_rw_t:lnk_file read; I've checked the source package, and will attach a patch for policy/modules/services/dovecot.te
Created attachment 593070 [details] Patch to policy/modules/services/dovecot.te
Note: in patch I removed mta_read_home_rw(dovecot_t) as it's a subset of the already included mta_manage_home_rw(dovecot_t)
Miroslav please back port cffaac2f88d8d771da6d8b0262678201f67b68f4
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
As listed above, still not fixed in 3.10.0-132
Yes, the problem is I did not remove this bug from the update system. Fixed in 3.10.0-133
3.10.0-133 appears to fix the problem! Tested all my problem cases, and no denials appeared. :) Thanks! Scott
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17
Package selinux-policy-3.10.0-134.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17 then log in and leave karma (feedback).
*** Bug 835906 has been marked as a duplicate of this bug. ***
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.