+++ This bug was initially created as a clone of Bug #830611 +++ Description of problem: dovecot-imap and dovecot-lda are not allowed access to Maildir files/directories once they've been labeled mail_home_rw_t (via current targeted/contexts/files/file_contexts) Version-Release number of selected component (if applicable): selinux-policy-3.10.0-129.fc17 How reproducible: Always with selinux enabled Steps to Reproduce: 1. run restorecon -r /home with selinux enabled 2. configure dovecot with "mail_location = maildir:~/Maildir" 3. enable/start dovecot.service 4. attempt to access/modify a users mailbox 5. enable 5. access is denied Actual results: Example denials... avc: denied { open } for pid=26649 comm="imap" name="dovecot.index.log" dev="dm-3" ino=5768536 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file avc: denied { getattr } for pid=26666 comm="dovecot-lda" path="/home/scott/Maildir" dev="dm-3" ino=6029316 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir avc: denied { read } for pid=27907 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file Expected results: Access should be allowed. Additional info: I read through the source policy, and there appear to be missing entries in services/dovecot.te. I added the following to a custom module, and once loaded the above denials disappeared: #======temp fix: dovecot-lda can't manage mail_home_rw_t===== mta_mailserver_delivery(dovecot_deliver_t) #======temp fix: imap can't manage mail_home_rw_t===== mta_mailserver_delivery(dovecot_t) #====temp fix: symlinks can't be read in Maildir===== read_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) I've tried the latest selinux policy from Koji (-129 atm), and the above workaround is still required or the denials above are still encountered. --- Additional comment from mgrepl on 2012-06-11 05:24:12 EDT --- This is fixed in F18. Fixing also in F17. Fixed in selinux-policy-3.10.0-130.fc17 --- Additional comment from updates on 2012-06-11 17:02:26 EDT --- selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17 --- Additional comment from scott-redhat on 2012-06-11 17:26:00 EDT --- Installed and tested -130, but problem is still present. I see from the source file that mta_read_home_rw() is set for dovecot_t and dovecot_deliver_t, but these only allow read access from those domains. dovecot allows message move, delete, index creation, even directory creation (and supports reading symlinks for mailbox aliases, although not creating them). Example denials that remain: avc: denied { write } for pid=6009 comm="imap" name="dovecot.index.log" dev="dm-3" ino=6422913 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=file avc: denied { rename } for pid=6009 comm="imap" name="1339449041.M782844P6009.shambarger.net" dev="dm-3" ino=6450101 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=file avc: denied { read } for pid=5985 comm="imap" name=2E44656C65746564204974656D73 dev="dm-3" ino=6422539 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=lnk_file So dovecot does require the 3 entries (or their equivalent) in the bug description above. Please let me know if there's another configuration option (perhaps a boolean) that I'm missing to permit dovecot r/w access to the Maildir directory :) --- Additional comment from mgrepl on 2012-06-12 07:46:47 EDT --- Ok, so it needs r/w. --- Additional comment from updates on 2012-06-15 19:59:24 EDT --- Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback). --- Additional comment from scott-redhat on 2012-06-16 16:35:51 EDT --- See comment 3, selinux-policy-3.10.0-130 still does not permit r/w access -- the 3 line fix in the bug description is all that's required :) --- Additional comment from updates on 2012-06-16 20:04:23 EDT --- selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from scott-redhat on 2012-06-17 05:10:29 EDT --- Bug has not been solved (for reasons listed above). Should not be closed until resolved. --- Additional comment from mgrepl on 2012-06-18 12:23:18 EDT --- Fixed in selinux-policy-3.10.0-131.fc17 --- Additional comment from updates on 2012-06-19 03:58:13 EDT --- selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17 --- Additional comment from scott-redhat on 2012-06-19 17:03:25 EDT --- Tried selinux-policy-3.10.0-132, and dovecot_deliver_t still doesn't have Read/Write access to mail_home_rw_t... And neither dovecot_t nor dovecot_deliver_t have read access to symlinks. From audit2allow: #============= dovecot_deliver_t ============== allow dovecot_deliver_t mail_home_rw_t:dir { write remove_name read add_name }; allow dovecot_deliver_t mail_home_rw_t:file { write rename create unlink setattr }; allow dovecot_deliver_t mail_home_rw_t:lnk_file read; #============= dovecot_t ============== allow dovecot_t mail_home_rw_t:lnk_file read; I've checked the source package, and will attach a patch for policy/modules/services/dovecot.te --- Additional comment from scott-redhat on 2012-06-19 17:04:08 EDT --- Created attachment 593070 [details] Patch to policy/modules/services/dovecot.te --- Additional comment from scott-redhat on 2012-06-19 17:06:16 EDT --- Note: in patch I removed mta_read_home_rw(dovecot_t) as it's a subset of the already included mta_manage_home_rw(dovecot_t) --- Additional comment from dwalsh on 2012-06-19 17:17:03 EDT --- Miroslav please back port cffaac2f88d8d771da6d8b0262678201f67b68f4 --- Additional comment from updates on 2012-06-19 20:28:37 EDT --- selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from scott-redhat on 2012-06-19 22:52:46 EDT --- As listed above, still not fixed in 3.10.0-132 --- Additional comment from mgrepl on 2012-06-20 04:24:42 EDT --- Yes, the problem is I did not remove this bug from the update system. Fixed in 3.10.0-133 --- Additional comment from scott-redhat on 2012-06-22 20:04:16 EDT --- 3.10.0-133 appears to fix the problem! Tested all my problem cases, and no denials appeared. :) Thanks! Scott --- Additional comment from updates on 2012-06-26 17:47:28 EDT --- selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17 --- Additional comment from updates on 2012-06-27 23:37:16 EDT --- Package selinux-policy-3.10.0-134.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17 then log in and leave karma (feedback).
Buggy policy was backported to rhel-6.3 - same fix is needed.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
Created attachment 597365 [details] Backport of the fix for the issue. I'd strongly request Z-stream fix for the issue - this problem breaks dovecot delivery to Maildir format mailboxes totally when system is enforced.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Fixed in selinux-policy-3.7.19-156
While running dovecot as LDA delivering mail into ~/Maildir, following AVCs were reported. These are AVCs from permissive mode, so no more than getattr operation is needed. ---- time->Thu Sep 20 13:45:19 2012 type=PATH msg=audit(1348141519.305:455): item=0 name="/root" inode=19 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0 type=CWD msg=audit(1348141519.305:455): cwd="/var/spool/postfix" type=SYSCALL msg=audit(1348141519.305:455): arch=c000003e syscall=4 success=yes exit=0 a0=fca520 a1=7fff2b72f430 a2=7fff2b72f430 a3=7fff2b72f0f0 items=1 ppid=22855 pid=22857 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null) type=AVC msg=audit(1348141519.305:455): avc: denied { getattr } for pid=22857 comm="dovecot-lda" path="/root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir ---- time->Thu Sep 20 13:45:23 2012 type=PATH msg=audit(1348141523.755:458): item=0 name="/root" inode=19 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0 type=CWD msg=audit(1348141523.755:458): cwd="/var/spool/postfix" type=SYSCALL msg=audit(1348141523.755:458): arch=c000003e syscall=4 success=yes exit=0 a0=1077520 a1=7fff702ca160 a2=7fff702ca160 a3=7fff702c9e20 items=1 ppid=22878 pid=22932 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null) type=AVC msg=audit(1348141523.755:458): avc: denied { getattr } for pid=22932 comm="dovecot-lda" path="/root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Version of selinux policy: selinux-policy-3.7.19-162.el6.noarch selinux-policy-targeted-3.7.19-162.el6.noarch selinux-policy-mls-3.7.19-162.el6.noarch # matchpathcon /root /root system_u:object_r:admin_home_t:s0
This is another AVC: ---- time->Thu Sep 20 14:14:19 2012 type=PATH msg=audit(1348143259.513:686): item=0 name="/root" inode=19 dev=fd:00 mode=040551 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0 type=CWD msg=audit(1348143259.513:686): cwd="/var/spool/postfix" type=SYSCALL msg=audit(1348143259.513:686): arch=c000003e syscall=80 success=yes exit=0 a0=e1aa31 a1=7f65b9f143f0 a2=0 a3=7fffd929c1b0 items=1 ppid=1590 pid=1592 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=3 comm="dovecot-lda" exe="/usr/libexec/dovecot/dovecot-lda" subj=unconfined_u:system_r:dovecot_deliver_t:s0 key=(null) type=AVC msg=audit(1348143259.513:686): avc: denied { search } for pid=1592 comm="dovecot-lda" name="root" dev=dm-0 ino=19 scontext=unconfined_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
So you intend to deliver mail to /root/Maildir
I especially did not include possibility for that in my patch. If that is wanted I'd add boolean for it.
No we can allow it. I have added a fix for F18.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html