Description of problem: Trying to use post-login script in dovecot[1] I'm getting selinux denial. Man dovecot_selinux doesn't give any clue which boolean has to be enabled - I believe it is completely missing. [1] http://wiki2.dovecot.org/PostLoginScripting Version-Release number of selected component (if applicable): selinux-policy-3.7.19-155.el6_3.8.noarch How reproducible: always Steps to Reproduce: 1. run the test /CoreOS/dovecot/Security/CVE-2011-2166-remote-bypass-of-intended-access-restrictions 2. tail /var/log/messages 3. sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0 Actual results: Dec 12 09:58:20 x86-64-6s-m1 setroubleshoot: SELinux is preventing /usr/libexec/dovecot/script-login from execute access on the file /bin/bash. For complete SELinux messages. run sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0 # sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0 SELinux is preventing /usr/libexec/dovecot/script-login from execute access on the soubor /bin/bash. ***** Plugin leaks (86.2 confidence) doporučuje **************************** Pokud you want to ignore script-login trying to execute access the bash file, because you believe it should not need this access. Pak you should report this as a bug. You can generate a local policy module to dontaudit this access. Udělejte # grep /usr/libexec/dovecot/script-login /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) doporučuje ************************* Pokud you believe that script-login should be allowed execute access on the bash file by default. Pak you should report this as a bug. You can generate a local policy module to allow this access. Udělejte allow this access for now by executing: # grep script-login /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Expected results: (no selinux problems, eventually an advice "you have to enable allow_blah_blah boolean") Additional info: # audit2allow type=AVC msg=audit(1355324296.428:522581): avc: denied { execute } for pid=7312 comm="script-login" name="bash" dev=sdb1 ino=2646041 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=SYSCALL msg=audit(1355324296.428:522581): arch=c000003e syscall=59 success=no exit=-13 a0=167a39d a1=1672910 a2=167bce0 a3=7fff51487910 items=0 ppid=7051 pid=7312 auid=0 uid=97 gid=97 euid=97 suid=97 fsuid=97 egid=97 sgid=97 fsgid=97 tty=(none) ses=30562 comm="script-login" exe="/usr/libexec/dovecot/script-login" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) #============= dovecot_t ============== allow dovecot_t shell_exec_t:file execute;
Following AVC appears in enforcing mode: ---- time->Wed Dec 12 18:44:54 2012 type=PATH msg=audit(1355334294.565:866): item=1 name=(null) inode=3407874 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 type=PATH msg=audit(1355334294.565:866): item=0 name="/usr/local/bin/postlogin.sh" inode=4212606 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:bin_t:s0 type=CWD msg=audit(1355334294.565:866): cwd="/var/run/dovecot" type=EXECVE msg=audit(1355334294.565:866): type=SYSCALL msg=audit(1355334294.565:866): arch=c000003e syscall=59 success=no exit=-13 a0=163639d a1=162ed38 a2=164b5d0 a3=7fff498d5a80 items=2 ppid=10225 pid=10283 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=63 comm="script-login" exe="/usr/libexec/dovecot/script-login" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(1355334294.565:866): avc: denied { execute } for pid=10283 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ----
Following AVCs appear in permissive mode: ---- time->Wed Dec 12 18:46:27 2012 type=PATH msg=audit(1355334387.250:905): item=2 name=(null) inode=6032943 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(1355334387.250:905): item=1 name=(null) inode=3407874 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 type=PATH msg=audit(1355334387.250:905): item=0 name="/usr/local/bin/postlogin.sh" inode=4212606 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:bin_t:s0 type=CWD msg=audit(1355334387.250:905): cwd="/var/run/dovecot" type=EXECVE msg=audit(1355334387.250:905): argc=2 a0="/bin/sh" a1="/usr/local/bin/postlogin.sh" type=EXECVE msg=audit(1355334387.250:905): argc=3 a0="/bin/sh" a1="/usr/local/bin/postlogin.sh" a2="/usr/libexec/dovecot/script-login" type=SYSCALL msg=audit(1355334387.250:905): arch=c000003e syscall=59 success=yes exit=0 a0=22f939d a1=22f1d38 a2=230e5d0 a3=7fffb7114f00 items=3 ppid=10733 pid=10791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=63 comm="postlogin.sh" exe="/bin/bash" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) type=AVC msg=audit(1355334387.250:905): avc: denied { read open } for pid=10791 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1355334387.250:905): avc: denied { execute } for pid=10791 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ----
I added it to Fedora. Will backport.
Hello there, I have exactly the same problem running RHEL 6.3. I managed to solve it creating custom policies. First of all, we have to create a policy that allows dovecot to execute shell scripts: module dovecot-scriptlogin-bash-mypol 1.0; require { type dovecot_t; type shell_exec_t; class file { read execute open }; } #============= dovecot_t ============== allow dovecot_t shell_exec_t:file { read execute open }; And then we need another policy to allow dovecot execute the /usr/bin/mysql client from inside the shell script and connect to MySQL. Oddly enough, it required some special permissions to execute getattr, read and open syscall over the file /usr/share/mysql/charsets/Index.xml: module dovecot-scriptlogin-mysql-mypol 1.0; require { type mysqld_db_t; type dovecot_t; type mysqld_var_run_t; type usr_t; type mysqld_t; class sock_file write; class unix_stream_socket connectto; class file { read getattr open }; class dir search; } #============= dovecot_t ============== allow dovecot_t mysqld_db_t:dir search; allow dovecot_t mysqld_t:unix_stream_socket connectto; allow dovecot_t mysqld_var_run_t:sock_file write; allow dovecot_t usr_t:file { read getattr open }; I'll attach in another comment the audit logs required to create this policies.
Created attachment 675946 [details] audit logs when dovecot tries to execute shell scripts To load this I used the following commands: $ cat dovecot-scriptlogin-bash-audit.log | audit2allow -M dovecot-scriptlogin-bash-mypol $ sudo semodule -i dovecot-scriptlogin-bash-mypol.pp
Created attachment 675948 [details] audit logs when dovecot tries to connect to MySQL from the shell script To load this policy I used the following commands: $ cat dovecot-scriptlogin-mysql-audit.log | audit2allow -M dovecot-scriptlogin-mysql-mypol $ sudo semodule -i dovecot-scriptlogin-mysql-mypol.pp This log is the one that show the access attempts to /usr/share/mysql/charsets/Index.xml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html