886563 – selinux denies dovecot scripts

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 886563 - selinux denies dovecot scripts

Summary: selinux denies dovecot scripts

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-12 15:05 UTC by Karel Volný
Modified:	2013-02-21 08:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-190.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 08:33:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit logs when dovecot tries to execute shell scripts (1.19 KB, text/plain) 2013-01-09 23:57 UTC, William Lovaton	no flags	Details
audit logs when dovecot tries to connect to MySQL from the shell script (3.33 KB, text/plain) 2013-01-10 00:04 UTC, William Lovaton	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0314	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-02-20 20:35:01 UTC

Description Karel Volný 2012-12-12 15:05:52 UTC

Description of problem:
Trying to use post-login script in dovecot[1] I'm getting selinux denial. Man dovecot_selinux doesn't give any clue which boolean has to be enabled - I believe it is completely missing.

[1] http://wiki2.dovecot.org/PostLoginScripting

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.8.noarch

How reproducible:
always

Steps to Reproduce:
1. run the test /CoreOS/dovecot/Security/CVE-2011-2166-remote-bypass-of-intended-access-restrictions
2. tail /var/log/messages
3. sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0
  
Actual results:
Dec 12 09:58:20 x86-64-6s-m1 setroubleshoot: SELinux is preventing /usr/libexec/dovecot/script-login from execute access on the file /bin/bash. For complete SELinux messages. run sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0


# sealert -l eb67478a-5820-4b69-83ec-840fcfc000b0
SELinux is preventing /usr/libexec/dovecot/script-login from execute access on the soubor /bin/bash.

*****  Plugin leaks (86.2 confidence) doporučuje  ****************************

Pokud you want to ignore script-login trying to execute access the bash file, because you believe it should not need this access.
Pak you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Udělejte
# grep /usr/libexec/dovecot/script-login /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) doporučuje  *************************

Pokud you believe that script-login should be allowed execute access on the bash file by default.
Pak you should report this as a bug.
You can generate a local policy module to allow this access.
Udělejte
allow this access for now by executing:
# grep script-login /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Expected results:
(no selinux problems, eventually an advice "you have to enable allow_blah_blah boolean")


Additional info:
# audit2allow 
type=AVC msg=audit(1355324296.428:522581): avc:  denied  { execute } for  pid=7312 comm="script-login" name="bash" dev=sdb1 ino=2646041 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1355324296.428:522581): arch=c000003e syscall=59 success=no exit=-13 a0=167a39d a1=1672910 a2=167bce0 a3=7fff51487910 items=0 ppid=7051 pid=7312 auid=0 uid=97 gid=97 euid=97 suid=97 fsuid=97 egid=97 sgid=97 fsgid=97 tty=(none) ses=30562 comm="script-login" exe="/usr/libexec/dovecot/script-login" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)


#============= dovecot_t ==============
allow dovecot_t shell_exec_t:file execute;

Comment 2 Milos Malik 2012-12-12 15:47:06 UTC

Following AVC appears in enforcing mode:
----
time->Wed Dec 12 18:44:54 2012
type=PATH msg=audit(1355334294.565:866): item=1 name=(null) inode=3407874 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0
type=PATH msg=audit(1355334294.565:866): item=0 name="/usr/local/bin/postlogin.sh" inode=4212606 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:bin_t:s0
type=CWD msg=audit(1355334294.565:866):  cwd="/var/run/dovecot"
type=EXECVE msg=audit(1355334294.565:866):
type=SYSCALL msg=audit(1355334294.565:866): arch=c000003e syscall=59 success=no exit=-13 a0=163639d a1=162ed38 a2=164b5d0 a3=7fff498d5a80 items=2 ppid=10225 pid=10283 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=63 comm="script-login" exe="/usr/libexec/dovecot/script-login" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1355334294.565:866): avc:  denied  { execute } for  pid=10283 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----

Comment 3 Milos Malik 2012-12-12 15:48:00 UTC

Following AVCs appear in permissive mode:
----
time->Wed Dec 12 18:46:27 2012
type=PATH msg=audit(1355334387.250:905): item=2 name=(null) inode=6032943 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1355334387.250:905): item=1 name=(null) inode=3407874 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0
type=PATH msg=audit(1355334387.250:905): item=0 name="/usr/local/bin/postlogin.sh" inode=4212606 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:bin_t:s0
type=CWD msg=audit(1355334387.250:905):  cwd="/var/run/dovecot"
type=EXECVE msg=audit(1355334387.250:905): argc=2 a0="/bin/sh" a1="/usr/local/bin/postlogin.sh"
type=EXECVE msg=audit(1355334387.250:905): argc=3 a0="/bin/sh" a1="/usr/local/bin/postlogin.sh" a2="/usr/libexec/dovecot/script-login"
type=SYSCALL msg=audit(1355334387.250:905): arch=c000003e syscall=59 success=yes exit=0 a0=22f939d a1=22f1d38 a2=230e5d0 a3=7fffb7114f00 items=3 ppid=10733 pid=10791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=63 comm="postlogin.sh" exe="/bin/bash" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1355334387.250:905): avc:  denied  { read open } for  pid=10791 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1355334387.250:905): avc:  denied  { execute } for  pid=10791 comm="script-login" name="bash" dev=sda3 ino=3407874 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----

Comment 4 Miroslav Grepl 2012-12-13 11:47:41 UTC

I added it to Fedora. Will backport.

Comment 7 William Lovaton 2013-01-09 23:50:42 UTC

Hello there,

I have exactly the same problem running RHEL 6.3.  I managed to solve it creating custom policies.

First of all, we have to create a policy that allows dovecot to execute shell scripts:

module dovecot-scriptlogin-bash-mypol 1.0;

require {
	type dovecot_t;
	type shell_exec_t;
	class file { read execute open };
}

#============= dovecot_t ==============
allow dovecot_t shell_exec_t:file { read execute open };



And then we need another policy to allow dovecot execute the /usr/bin/mysql client from inside the shell script and connect to MySQL.  Oddly enough, it required some special permissions to execute getattr, read and open syscall over the file /usr/share/mysql/charsets/Index.xml:

module dovecot-scriptlogin-mysql-mypol 1.0;

require {
	type mysqld_db_t;
	type dovecot_t;
	type mysqld_var_run_t;
	type usr_t;
	type mysqld_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class file { read getattr open };
	class dir search;
}

#============= dovecot_t ==============
allow dovecot_t mysqld_db_t:dir search;
allow dovecot_t mysqld_t:unix_stream_socket connectto;
allow dovecot_t mysqld_var_run_t:sock_file write;
allow dovecot_t usr_t:file { read getattr open };



I'll attach in another comment the audit logs required to create this policies.

Comment 8 William Lovaton 2013-01-09 23:57:23 UTC

Created attachment 675946 [details]
audit logs when dovecot tries to execute shell scripts

To load this I used the following commands:

$ cat dovecot-scriptlogin-bash-audit.log | audit2allow -M dovecot-scriptlogin-bash-mypol
$ sudo semodule -i dovecot-scriptlogin-bash-mypol.pp

Comment 9 William Lovaton 2013-01-10 00:04:26 UTC

Created attachment 675948 [details]
audit logs when dovecot tries to connect to MySQL from the shell script

To load this policy I used the following commands:

$ cat dovecot-scriptlogin-mysql-audit.log | audit2allow -M dovecot-scriptlogin-mysql-mypol
$ sudo semodule -i dovecot-scriptlogin-mysql-mypol.pp

This log is the one that show the access attempts to /usr/share/mysql/charsets/Index.xml

Comment 10 errata-xmlrpc 2013-02-21 08:33:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.