Bug 857628 - SELinux is preventing /usr/libexec/dovecot/auth from 'block_suspend' accesses on the capability2 .
SELinux is preventing /usr/libexec/dovecot/auth from 'block_suspend' accesses...
Status: CLOSED DUPLICATE of bug 1136575
Product: Fedora
Classification: Fedora
Component: dovecot (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Michal Hlavinka
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-09-15 05:41 EDT by Nicolas Mailhot
Modified: 2014-09-03 05:44 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-09-03 05:44:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-09-15 05:41 EDT, Nicolas Mailhot
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-09-15 05:41 EDT, Nicolas Mailhot
no flags Details

  None (edit)
Description Nicolas Mailhot 2012-09-15 05:41:31 EDT
Additional info:
libreport version: 2.0.13
kernel:         3.6.0-0.rc2.git2.1.fc18.x86_64

:SELinux is preventing /usr/libexec/dovecot/auth from 'block_suspend' accesses on the capability2 .
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If vous pensez que auth devrait être autorisé à accéder block_suspend sur  capability2 par défaut.
:Then vous devriez rapporter ceci en tant qu'anomalie.
:Vous pouvez générer un module de stratégie local pour autoriser cet accès.
:autoriser cet accès pour le moment en exécutant :
:# grep auth /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:dovecot_auth_t:s0
:Target Context                system_u:system_r:dovecot_auth_t:s0
:Target Objects                 [ capability2 ]
:Source                        auth
:Source Path                   /usr/libexec/dovecot/auth
:Port                          <Inconnu>
:Host                          (removed)
:Source RPM Packages           dovecot-2.1.9-2.fc19.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-18.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.0-0.rc2.git2.1.fc18.x86_64 #1
:                              SMP Wed Aug 22 11:54:04 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    2012-09-15 11:37:10 CEST
:Last Seen                     2012-09-15 11:37:10 CEST
:Local ID                      2c2e3715-53bd-47ce-afeb-84b29521cd19
:Raw Audit Messages
:type=AVC msg=audit(1347701830.295:150): avc:  denied  { block_suspend } for  pid=2694 comm="auth" capability=36  scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability2
:type=SYSCALL msg=audit(1347701830.295:150): arch=x86_64 syscall=epoll_ctl success=yes exit=0 a0=a a1=2 a2=8 a3=7fffb8c5b160 items=0 ppid=743 pid=2694 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=auth exe=/usr/libexec/dovecot/auth subj=system_u:system_r:dovecot_auth_t:s0 key=(null)
:Hash: auth,dovecot_auth_t,dovecot_auth_t,capability2,block_suspend
:#============= dovecot_auth_t ==============
:allow dovecot_auth_t self:capability2 block_suspend;
:audit2allow -R
:#============= dovecot_auth_t ==============
:allow dovecot_auth_t self:capability2 block_suspend;
:No idea what it means
Comment 1 Nicolas Mailhot 2012-09-15 05:41:35 EDT
Created attachment 613225 [details]
File: type
Comment 2 Nicolas Mailhot 2012-09-15 05:41:36 EDT
Created attachment 613226 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-09-17 19:28:16 EDT

Second call that I have seen to epoll_ctl  that generates a block_suspend but the call is successful.success=yes  even though the machine in enforcing mode. Could this be a bug in the kernel?  Or is the syscall just taking a different path if this is blocked.

Also in #857629
Comment 4 Eric Paris 2012-09-18 11:27:49 EDT
Code in question:
        /* Check if EPOLLWAKEUP is allowed */
        if ((epds.events & EPOLLWAKEUP) && !capable(CAP_BLOCK_SUSPEND))
                epds.events &= ~EPOLLWAKEUP;

If an application is failing this capability check, it is because it explictly ask for EPOLLWAKEUP.  The syscall won't fail, but we probably should check with each application you see these for an determine if they actually need it.  This is not a particularly dangerous thing, from what I can see.  Just means the app can use some more battery....
Comment 5 Daniel Walsh 2012-09-18 11:46:01 EDT
Ok dovecot maintainer, do you actually think dovecot needs to be able to block suspend?
Comment 6 Michal Hlavinka 2012-09-21 05:25:28 EDT
(In reply to comment #5)
> Ok dovecot maintainer, do you actually think dovecot needs to be able to
> block suspend?

The answer is I don't know. 

I don't know when it is good idea to use it nor when it's a bad idea to use it. I searched for some documentation, but found nothing. Could you point me somewhere where I could get more information? Google failed me this time.
Comment 7 Daniel Walsh 2012-09-26 17:01:14 EDT
I think the idea of this access is to stop the machine from suspending while the tool is executing.

/* Allow preventing system suspends */

#define CAP_BLOCK_SUSPEND    36

It used to be called epollwakeup.

When an epoll_event, that has the EPOLLWAKEUP flag set, is ready, a
wakeup_source will be active to prevent suspend. This can be used to
handle wakeup events from a driver that support poll, e.g. input, if
that driver wakes up the waitqueue passed to epoll before allowing
Comment 8 Fedora End Of Life 2013-04-03 12:19:02 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
Comment 9 Daniel Walsh 2014-09-03 05:44:57 EDT

*** This bug has been marked as a duplicate of bug 1136575 ***

Note You need to log in before you can comment on or make changes to this bug.