Bug 835906 - ELinux is preventing /usr/libexec/dovecot/dovecot-lda from 'write' accesses on the file /home/till/Maildir/.X/dovecot-uidlist
Summary: ELinux is preventing /usr/libexec/dovecot/dovecot-lda from 'write' accesses o...
Keywords:
Status: CLOSED DUPLICATE of bug 830611
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-27 13:50 UTC by Till Maas
Modified: 2012-06-28 19:20 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-28 19:20:40 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Till Maas 2012-06-27 13:50:26 UTC 
dovecot with sieve and  ~/Maildir as mail location does not work. Here are some example problem reports:

executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.3-1.fc17.x86_64
time:           Wed 27 Jun 2012 03:45:46 PM CEST

description:
:SELinux is preventing /usr/libexec/dovecot/dovecot-lda from 'write' accesses on the file /home/till/Maildir/.X/dovecot-uidlist.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that dovecot-lda should be allowed write access on the dovecot-uidlist file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep deliver /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:dovecot_deliver_t:s0
:Target Context                unconfined_u:object_r:mail_home_rw_t:s0
:Target Objects                /home/till/Maildir/.X/dovecot-
:                              uidlist [ file ]
:Source                        deliver
:Source Path                   /usr/libexec/dovecot/dovecot-lda
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           dovecot-2.1.7-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC
:                              2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Wed 27 Jun 2012 10:36:27 AM CEST
:Last Seen                     Wed 27 Jun 2012 10:36:27 AM CEST
:Local ID                      d63cc1f8-bc58-426c-bd98-b19b57b0aeaf
:
:Raw Audit Messages
:type=AVC msg=audit(1340786187.549:458): avc:  denied  { write } for  pid=7497 comm="deliver" name="dovecot-uidlist" dev="dm-9" ino=1836786 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1340786187.549:458): arch=x86_64 syscall=open success=yes exit=ECHILD a0=150e780 a1=2 a2=7fff9fd62d60 a3=1 items=0 ppid=7495 pid=7497 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=deliver exe=/usr/libexec/dovecot/dovecot-lda subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)
:
:Hash: deliver,dovecot_deliver_t,mail_home_rw_t,file,write
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

END:

SELinux is preventing /usr/libexec/dovecot/dovecot-lda from write access on the directory /home/till/Maildir/.INBOX/tmp.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that dovecot-lda should be allowed write access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep deliver /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:dovecot_deliver_t:s0
Target Context                unconfined_u:object_r:mail_home_rw_t:s0
Target Objects                /home/till/Maildir/.INBOX/tmp [ dir ]
Source                        deliver
Source Path                   /usr/libexec/dovecot/dovecot-lda
Port                          <Unknown>
Host                          
Source RPM Packages           dovecot-2.1.7-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     
Platform                      Linux 
                              3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC
                              2012 x86_64 x86_64
Alert Count                   123
First Seen                    Wed 27 Jun 2012 08:39:12 AM CEST
Last Seen                     Wed 27 Jun 2012 03:02:52 PM CEST
Local ID                      772a78d3-5d3d-4a64-bc4e-828caf33d257

Raw Audit Messages
type=AVC msg=audit(1340802172.491:531): avc:  denied  { write } for  pid=13104 comm="deliver" name="tmp" dev="dm-9" ino=670220 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir


type=AVC msg=audit(1340802172.491:531): avc:  denied  { add_name } for  pid=13104 comm="deliver" name="XXX" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir


type=AVC msg=audit(1340802172.491:531): avc:  denied  { create } for  pid=13104 comm="deliver" name="XXX" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file


type=SYSCALL msg=audit(1340802172.491:531): arch=x86_64 syscall=open success=yes exit=ECHILD a0=a74320 a1=2c1 a2=1ff a3=746e616c6174612e items=0 ppid=13103 pid=13104 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=deliver exe=/usr/libexec/dovecot/dovecot-lda subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)

Hash: deliver,dovecot_deliver_t,mail_home_rw_t,dir,write

audit2allow

#============= dovecot_deliver_t ==============
#!!!! The source type 'dovecot_deliver_t' can write to a 'dir' of the following types:
# dovecot_deliver_tmp_t, user_home_dir_t, mail_spool_t, tmp_t, user_home_t, data_home_t

allow dovecot_deliver_t mail_home_rw_t:dir { write add_name };
allow dovecot_deliver_t mail_home_rw_t:file create;

audit2allow -R

#============= dovecot_deliver_t ==============
#!!!! The source type 'dovecot_deliver_t' can write to a 'dir' of the following types:
# dovecot_deliver_tmp_t, user_home_dir_t, mail_spool_t, tmp_t, user_home_t, data_home_t

allow dovecot_deliver_t mail_home_rw_t:dir { write add_name };
allow dovecot_deliver_t mail_home_rw_t:file create;
Comment 1 Miroslav Grepl 2012-06-28 11:31:06 UTC 
Please update your policy

# yum update selinux-policy-targeted --enablerepo=updates-testing
Comment 2 Till Maas 2012-06-28 19:20:40 UTC 

*** This bug has been marked as a duplicate of bug 830611 ***
Note You need to log in before you can comment on or make changes to this bug.