Bug 886563 - selinux denies dovecot scripts
Summary: selinux denies dovecot scripts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.3
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-12 15:05 UTC by Karel Volný
Modified: 2013-02-21 08:33 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-190.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 08:33:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
audit logs when dovecot tries to execute shell scripts (1.19 KB, text/plain)
2013-01-09 23:57 UTC, William Lovaton
no flags Details
audit logs when dovecot tries to connect to MySQL from the shell script (3.33 KB, text/plain)
2013-01-10 00:04 UTC, William Lovaton
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0314 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 20:35:01 UTC

Description Karel Volný 2012-12-12 15:05:52 UTC
Description of problem:
Trying to use post-login script in dovecot[1] I'm getting selinux denial. Man dovecot_selinux doesn't give any clue which boolean has to be enabled - I believe it is completely missing.

[1] http://wiki2.dovecot.org/PostLoginScripting

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.8.noarch

How reproducible:
always

Steps to Reproduce:
1. run the test /CoreOS/dovecot/Security/CVE-2011-2166-remote-bypass-of-intended-access-restrictions
2. tail /var/log/messages
3. sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0
  
Actual results:
Dec 12 09:58:20 x86-64-6s-m1 setroubleshoot: SELinux is preventing /usr/libexec/dovecot/script-login from execute access on the file /bin/bash. For complete SELinux messages. run sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0


# sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0
SELinux is preventing /usr/libexec/dovecot/script-login from execute access on the soubor /bin/bash.

*****  Plugin leaks (86.2 confidence) doporučuje  ****************************

Pokud you want to ignore script-login trying to execute access the bash file, because you believe it should not need this access.
Pak you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Udělejte
# grep /usr/libexec/dovecot/script-login /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) doporučuje  *************************

Pokud you believe that script-login should be allowed execute access on the bash file by default.
Pak you should report this as a bug.
You can generate a local policy module to allow this access.
Udělejte
allow this access for now by executing:
# grep script-login /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Expected results:
(no selinux problems, eventually an advice "you have to enable allow_blah_blah boolean")


Additional info:
# audit2allow 
type=AVC msg=audit(1355324296.428:522581): avc:  denied  { execute } for  pid=7312 comm="script-login" name="bash" dev=sdb1 ino=2646041 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1355324296.428:522581): arch=c000003e syscall=59 success=no exit=-13 a0=167a39d a1=1672910 a2=167bce0 a3=7fff51487910 items=0 ppid=7051 pid=7312 auid=0 uid=97 gid=97 euid=97 suid=97 fsuid=97 egid=97 sgid=97 fsgid=97 tty=(none) ses=30562 comm="script-login" exe="/usr/libexec/dovecot/script-login" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)


#============= dovecot_t ==============
allow dovecot_t shell_exec_t:file execute;

Comment 2 Milos Malik 2012-12-12 15:47:06 UTC
Following AVC appears in enforcing mode:
----
time->Wed Dec 12 18:44:54 2012
type=PATH msg=audit(1355334294.565:866): item=1 name=(null) inode=3407874 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0
type=PATH msg=audit(1355334294.565:866): item=0 name="/usr/local/bin/postlogin.sh" inode=4212606 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:bin_t:s0
type=CWD msg=audit(1355334294.565:866):  cwd="/var/run/dovecot"
type=EXECVE msg=audit(1355334294.565:866):
type=SYSCALL msg=audit(1355334294.565:866): arch=c000003e syscall=59 success=no exit=-13 a0=163639d a1=162ed38 a2=164b5d0 a3=7fff498d5a80 items=2 ppid=10225 pid=10283 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=63 comm="script-login" exe="/usr/libexec/dovecot/script-login" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1355334294.565:866): avc:  denied  { execute } for  pid=10283 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----

Comment 3 Milos Malik 2012-12-12 15:48:00 UTC
Following AVCs appear in permissive mode:
----
time->Wed Dec 12 18:46:27 2012
type=PATH msg=audit(1355334387.250:905): item=2 name=(null) inode=6032943 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1355334387.250:905): item=1 name=(null) inode=3407874 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0
type=PATH msg=audit(1355334387.250:905): item=0 name="/usr/local/bin/postlogin.sh" inode=4212606 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:bin_t:s0
type=CWD msg=audit(1355334387.250:905):  cwd="/var/run/dovecot"
type=EXECVE msg=audit(1355334387.250:905): argc=2 a0="/bin/sh" a1="/usr/local/bin/postlogin.sh"
type=EXECVE msg=audit(1355334387.250:905): argc=3 a0="/bin/sh" a1="/usr/local/bin/postlogin.sh" a2="/usr/libexec/dovecot/script-login"
type=SYSCALL msg=audit(1355334387.250:905): arch=c000003e syscall=59 success=yes exit=0 a0=22f939d a1=22f1d38 a2=230e5d0 a3=7fffb7114f00 items=3 ppid=10733 pid=10791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=63 comm="postlogin.sh" exe="/bin/bash" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1355334387.250:905): avc:  denied  { read open } for  pid=10791 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1355334387.250:905): avc:  denied  { execute } for  pid=10791 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----

Comment 4 Miroslav Grepl 2012-12-13 11:47:41 UTC
I added it to Fedora. Will backport.

Comment 7 William Lovaton 2013-01-09 23:50:42 UTC
Hello there,

I have exactly the same problem running RHEL 6.3.  I managed to solve it creating custom policies.

First of all, we have to create a policy that allows dovecot to execute shell scripts:

module dovecot-scriptlogin-bash-mypol 1.0;

require {
	type dovecot_t;
	type shell_exec_t;
	class file { read execute open };
}

#============= dovecot_t ==============
allow dovecot_t shell_exec_t:file { read execute open };



And then we need another policy to allow dovecot execute the /usr/bin/mysql client from inside the shell script and connect to MySQL.  Oddly enough, it required some special permissions to execute getattr, read and open syscall over the file /usr/share/mysql/charsets/Index.xml:

module dovecot-scriptlogin-mysql-mypol 1.0;

require {
	type mysqld_db_t;
	type dovecot_t;
	type mysqld_var_run_t;
	type usr_t;
	type mysqld_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class file { read getattr open };
	class dir search;
}

#============= dovecot_t ==============
allow dovecot_t mysqld_db_t:dir search;
allow dovecot_t mysqld_t:unix_stream_socket connectto;
allow dovecot_t mysqld_var_run_t:sock_file write;
allow dovecot_t usr_t:file { read getattr open };



I'll attach in another comment the audit logs required to create this policies.

Comment 8 William Lovaton 2013-01-09 23:57:23 UTC
Created attachment 675946 [details]
audit logs when dovecot tries to execute shell scripts

To load this I used the following commands:

$ cat dovecot-scriptlogin-bash-audit.log | audit2allow -M dovecot-scriptlogin-bash-mypol
$ sudo semodule -i dovecot-scriptlogin-bash-mypol.pp

Comment 9 William Lovaton 2013-01-10 00:04:26 UTC
Created attachment 675948 [details]
audit logs when dovecot tries to connect to MySQL from the shell script

To load this policy I used the following commands:

$ cat dovecot-scriptlogin-mysql-audit.log | audit2allow -M dovecot-scriptlogin-mysql-mypol
$ sudo semodule -i dovecot-scriptlogin-mysql-mypol.pp

This log is the one that show the access attempts to /usr/share/mysql/charsets/Index.xml

Comment 10 errata-xmlrpc 2013-02-21 08:33:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html


Note You need to log in before you can comment on or make changes to this bug.