983217 – SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user's home directory

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 983217 - SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user's home directory

Summary: SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1005246
TreeView+	depends on / blocked

Reported:	2013-07-10 17:50 UTC by Orion Poplawski
Modified:	2013-11-21 10:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-230.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1005246 (view as bug list)
Environment:
Last Closed:	2013-11-21 10:32:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Orion Poplawski 2013-07-10 17:50:50 UTC

Description of problem:

I need to be able to create a user's home directory when they log into dovecot.  I've enabled pam_oddjob_mkhomedir and configured dovedot to initialize a PAM session.  However in enforcing mode dovecot fails to create the home directory and I get the following avc:

type=AVC msg=audit(1373476838.413:199907): avc:  denied  { search } for  pid=20976 comm="auth" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

which seems to be the dovecot auth command (perhaps running pam_oddjob_mkhomedir.so code) trying to check and see if the home directory exists.

In permissive mode, I get the following denials:

type=AVC msg=audit(1373476863.232:199921): avc:  denied  { search } for  pid=20976 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373476863.232:199921): avc:  denied  { write } for  pid=20976 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1373476863.232:199921): avc:  denied  { connectto } for  pid=20976 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1373476863.243:199922): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=20976 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1373476863.245:199923): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=20976 tpid=11356 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { transition } for  pid=21313 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { entrypoint } for  pid=21313 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { read } for  pid=21313 comm="mkhomedir" path="pipe:[14448611]" dev=pipefs ino=14448611 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { write } for  pid=21313 comm="mkhomedir" path="pipe:[14448612]" dev=pipefs ino=14448612 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { rlimitinh } for  pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { siginh } for  pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { noatsecure } for  pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1373476863.260:199925): avc:  denied  { getattr } for  pid=21313 comm="mkhomedir" path="pipe:[14448611]" dev=pipefs ino=14448611 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1373476863.262:199926): avc:  denied  { search } for  pid=21313 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373476863.263:199927): avc:  denied  { getattr } for  pid=21313 comm="mkhomedir" path="/home" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373476863.372:199928): avc:  denied  { write } for  pid=21313 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373476863.372:199928): avc:  denied  { add_name } for  pid=21313 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373476863.372:199928): avc:  denied  { create } for  pid=21313 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.372:199929): avc:  denied  { setattr } for  pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { search } for  pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { write } for  pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { add_name } for  pid=21313 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { create } for  pid=21313 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { write open } for  pid=21313 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1572866 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.385:199931): avc:  denied  { setattr } for  pid=21313 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1572866 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.385:199932): avc:  denied  { fowner } for  pid=21313 comm="mkhomedir" capability=3  scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1373476863.385:199932): avc:  denied  { fsetid } for  pid=21313 comm="mkhomedir" capability=4  scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1373476863.385:199933): avc:  denied  { create } for  pid=21313 comm="mkhomedir" name=".procmailrc" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.385:199933): avc:  denied  { write open } for  pid=21313 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1572868 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.386:199934): avc:  denied  { setattr } for  pid=21313 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1572868 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.388:199935): avc:  denied  { sigchld } for  pid=11357 comm="oddjobd" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process
type=USER_AVC msg=audit(1373476864.392:199936): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.55 spid=11356 tpid=20976 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I'm kind of surprised that everything runs under the dovecot_auth_t context.

I've tried created a policy module for now, but it doesn't appear to be allowing it to label the newly created directory properly.  Seeing:

type=AVC msg=audit(1373477740.405:200297): avc:  denied  { create } for  pid=22682 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373478197.547:200432): avc:  denied  { setattr } for  pid=23183 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373478435.653:200501): avc:  denied  { create } for  pid=23455 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
type=AVC msg=audit(1373478435.687:200504): avc:  denied  { write } for  pid=23456 comm="imap" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373478435.688:200505): avc:  denied  { write } for  pid=23456 comm="imap" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir


I'm also seeing periodic messages like:

type=AVC msg=audit(1373478241.874:200455): avc:  denied  { getattr } for  pid=23169 comm="auth" path="/home/schuck" dev=dm-2 ino=262147 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

in normal operation with this configuration.  Looks like the pam session checks the home directory now.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.12.noarch

Comment 2 Orion Poplawski 2013-07-10 17:57:31 UTC

With dontaudit disabled, I'm also seeing the following:

type=AVC msg=audit(1373478897.604:200700): avc:  denied  { search } for  pid=23886 comm="mkhomedir" name="files" dev=dm-0 ino=2768 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1373478897.604:200701): avc:  denied  { read } for  pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.604:200701): avc:  denied  { open } for  pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.604:200702): avc:  denied  { getattr } for  pid=23886 comm="mkhomedir" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.705:200703): avc:  denied  { read write } for  pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1373478897.705:200703): avc:  denied  { open } for  pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1373478897.706:200704): avc:  denied  { check_context } for  pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
type=AVC msg=audit(1373478897.706:200705): avc:  denied  { setfscreate } for  pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process

which appear to be mkhomedir looking up the proper contexts to use.

Comment 3 Orion Poplawski 2013-07-10 18:05:13 UTC

This is what I ended up with:

module dovecot_mkhomedir 1.0;

require {
        type home_root_t;
        type system_dbusd_var_run_t;
        type security_t;
        type user_home_dir_t;
        type dovecot_auth_t;
        type user_home_t;
        type system_dbusd_t;
        type selinux_config_t;
        type procmail_home_t;
        type oddjob_mkhomedir_exec_t;
        type default_context_t;
        type file_context_t;
        type oddjob_t;
        class fifo_file { read write getattr };
        class process { siginh sigchld noatsecure setfscreate transition rlimitinh };
        class unix_stream_socket connectto;
        class dbus send_msg;
        class capability { fowner fsetid };
        class file { write getattr entrypoint setattr read create open };
        class sock_file write;
        class security check_context;
        class dir { search setattr create write getattr add_name };
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t default_context_t:dir search;
allow dovecot_auth_t file_context_t:dir search;
allow dovecot_auth_t file_context_t:file { read getattr open };
#!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following types:
# pcscd_var_run_t, postfix_private_t, dovecot_var_run_t, tmp_t, dovecot_auth_tmp_t

allow dovecot_auth_t home_root_t:dir { write search getattr add_name };
allow dovecot_auth_t oddjob_mkhomedir_exec_t:file entrypoint;
allow dovecot_auth_t oddjob_t:dbus send_msg;
allow dovecot_auth_t oddjob_t:fifo_file { read write getattr };
allow dovecot_auth_t oddjob_t:process sigchld;
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# pcscd_var_run_t, dovecot_auth_tmp_t

allow dovecot_auth_t procmail_home_t:file { write create open setattr };
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# faillog_t, initrc_var_run_t, pcscd_var_run_t, dovecot_auth_tmp_t

allow dovecot_auth_t security_t:file { read write open };
allow dovecot_auth_t security_t:security check_context;
allow dovecot_auth_t self:capability { fowner fsetid };
allow dovecot_auth_t self:process setfscreate;
allow dovecot_auth_t selinux_config_t:dir search;
allow dovecot_auth_t selinux_config_t:file { read getattr open };
allow dovecot_auth_t system_dbusd_t:dbus send_msg;
allow dovecot_auth_t system_dbusd_t:unix_stream_socket connectto;
allow dovecot_auth_t system_dbusd_var_run_t:dir search;
allow dovecot_auth_t system_dbusd_var_run_t:sock_file write;
#!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following type:
# dovecot_auth_tmp_t

allow dovecot_auth_t user_home_dir_t:dir { write search setattr create getattr add_name };
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# pcscd_var_run_t, dovecot_auth_tmp_t

allow dovecot_auth_t user_home_t:file { write create open setattr };

#============= oddjob_t ==============
allow oddjob_t dovecot_auth_t:dbus send_msg;
allow oddjob_t dovecot_auth_t:process { siginh rlimitinh transition noatsecure };

Comment 4 Daniel Walsh 2013-07-10 22:11:31 UTC

Would the following have does it all for you?

optional_policy(`
	dbus_system_bus_client(dovecot_auth_t)
	optional_policy(`
		oddjob_dbus_chat(dovecot_auth_t)
		oddjob_domtrans_mkhomedir(dovecot_auth_t)
	')
')

Comment 5 Orion Poplawski 2013-07-10 22:15:59 UTC

That seems likely.  How could I test it out?

Comment 6 Daniel Walsh 2013-07-10 23:52:15 UTC

policy_module(mydovecot, 1.0)

gen_require(`
type dovecot_auth_t;
')
optional_policy(`
	dbus_system_bus_client(dovecot_auth_t)
	optional_policy(`
		oddjob_dbus_chat(dovecot_auth_t)
		oddjob_domtrans_mkhomedir(dovecot_auth_t)
	')
')

Create a mydovecot.te file that looks like this.

make -f /usr/share/selinux/devel/Makefile mydovecot.pp
semodule -i mydovecot.pp

Should do the trick.

Would need to remove your custom policy to make sure it works.

I checked in code like this in Fedora.

Comment 7 Orion Poplawski 2013-07-22 20:22:49 UTC

Sorry for the delay.  I still needed to allow:

type=AVC msg=audit(1374524030.963:126478): avc:  denied  { search } for  pid=16235 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

for dovecot to check if the home directory existed or not before creating it.  Otherwise it fails to create it.

Also, I still get:

type=AVC msg=audit(1374524303.673:126581): avc:  denied  { getattr } for  pid=16235 comm="auth" path="/home/milliff" dev=dm-2 ino=2490370 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

as users log in and dovecot checks out their home directory, although I don't know if this causes any problems or not.  It doesn't appear to.

Comment 8 Daniel Walsh 2013-07-24 22:16:54 UTC

f2909eace947c015a0a9a6dc2d29cbdebc6695af adds this to git.

Comment 9 Orion Poplawski 2013-08-07 20:27:17 UTC

With 3.7.19-210.el6 I still see:

type=AVC msg=audit(1375906813.610:434833): avc:  denied  { search } for  pid=30211 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

and:

type=AVC msg=audit(1375906876.518:434847): avc:  denied  { write } for  pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key
type=AVC msg=audit(1375906876.519:434848): avc:  denied  { search } for  pid=31655 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1375906876.520:434850): avc:  denied  { write } for  pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key
type=AVC msg=audit(1375906876.520:434850): avc:  denied  { setattr } for  pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key

and the home directory is not created.

Note also a but in the selinux-policy-targeted %post script:

   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav2>/dev/null

Need a space before the 2.

Comment 11 Miroslav Grepl 2013-08-08 06:05:41 UTC

Does it work with a local policy from these AVC msgs?

Fixing spec file problem. 

Thank you for testing.

Comment 12 Orion Poplawski 2013-08-09 16:20:24 UTC

I was using this and it was working:

policy_module(mydovecot, 1.0)

gen_require(`
type dovecot_auth_t;
type user_home_dir_t;
type home_root_t;
class dir { search getattr };
')
optional_policy(`
    dbus_system_bus_client(dovecot_auth_t)
    optional_policy(`
        oddjob_dbus_chat(dovecot_auth_t)
        oddjob_domtrans_mkhomedir(dovecot_auth_t)
    ')
')

allow dovecot_auth_t home_root_t:dir { search };
allow dovecot_auth_t user_home_dir_t:dir { getattr };



With -211 I see:

type=AVC msg=audit(1376065073.994:510880): avc:  denied  { search } for  pid=11371 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir

and it fails.

Comment 13 Miroslav Grepl 2013-08-19 11:47:57 UTC

And are you getting more AVC in permissive mode?

Comment 14 Orion Poplawski 2013-08-28 17:47:15 UTC

With -213 in permissive:

type=AVC msg=audit(1377711892.246:38895855): avc:  denied  { search } for  pid=16815 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1377711892.246:38895855): avc:  denied  { write } for  pid=16815 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1377711892.246:38895855): avc:  denied  { connectto } for  pid=16815 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1377711892.259:38895856): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=16815 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1377711892.266:38895857): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=16815 tpid=5564 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { transition } for  pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { entrypoint } for  pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { read } for  pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { write } for  pid=24820 comm="mkhomedir" path="pipe:[61970951]" dev=pipefs ino=61970951 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { rlimitinh } for  pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { siginh } for  pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { noatsecure } for  pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.344:38895859): avc:  denied  { getattr } for  pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.456:38895860): avc:  denied  { write } for  pid=24820 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1377711892.456:38895860): avc:  denied  { add_name } for  pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1377711892.456:38895860): avc:  denied  { create } for  pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.471:38895861): avc:  denied  { setattr } for  pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { search } for  pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { write } for  pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { add_name } for  pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { create } for  pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { write open } for  pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895863): avc:  denied  { setattr } for  pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895864): avc:  denied  { fowner } for  pid=24820 comm="mkhomedir" capability=3  scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1377711892.478:38895864): avc:  denied  { fsetid } for  pid=24820 comm="mkhomedir" capability=4  scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1377711892.479:38895865): avc:  denied  { create } for  pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.479:38895865): avc:  denied  { write open } for  pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.479:38895866): avc:  denied  { setattr } for  pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.481:38895867): avc:  denied  { sigchld } for  pid=5565 comm="oddjobd" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process
type=USER_AVC msg=audit(1377711893.486:38895873): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.170 spid=5564 tpid=16815 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

dovecot 1.11.1

Comment 15 Miroslav Grepl 2013-08-29 13:31:10 UTC

What is path to mkhomedir in your case + labeling?

Comment 16 Orion Poplawski 2013-08-29 14:53:28 UTC

-rwxr-xr-x. root root system_u:object_r:oddjob_mkhomedir_exec_t:s0 /usr/libexec/oddjob/mkhomedir

It seems as if the transition that should be specified by:

 		oddjob_domtrans_mkhomedir(dovecot_auth_t)

isn't happening?

Comment 17 Miroslav Grepl 2013-09-03 12:02:54 UTC

Yes, for a reason.

type=AVC msg=audit(1377711892.479:38895865): avc:  denied  { create } for  pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file

Comment 19 errata-xmlrpc 2013-11-21 10:32:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.