Hide Forgot
Description of problem: I need to be able to create a user's home directory when they log into dovecot. I've enabled pam_oddjob_mkhomedir and configured dovedot to initialize a PAM session. However in enforcing mode dovecot fails to create the home directory and I get the following avc: type=AVC msg=audit(1373476838.413:199907): avc: denied { search } for pid=20976 comm="auth" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir which seems to be the dovecot auth command (perhaps running pam_oddjob_mkhomedir.so code) trying to check and see if the home directory exists. In permissive mode, I get the following denials: type=AVC msg=audit(1373476863.232:199921): avc: denied { search } for pid=20976 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir type=AVC msg=audit(1373476863.232:199921): avc: denied { write } for pid=20976 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1373476863.232:199921): avc: denied { connectto } for pid=20976 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=USER_AVC msg=audit(1373476863.243:199922): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=20976 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1373476863.245:199923): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=20976 tpid=11356 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1373476863.253:199924): avc: denied { transition } for pid=21313 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1373476863.253:199924): avc: denied { entrypoint } for pid=21313 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file type=AVC msg=audit(1373476863.253:199924): avc: denied { read } for pid=21313 comm="mkhomedir" path="pipe:[14448611]" dev=pipefs ino=14448611 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1373476863.253:199924): avc: denied { write } for pid=21313 comm="mkhomedir" path="pipe:[14448612]" dev=pipefs ino=14448612 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1373476863.253:199924): avc: denied { rlimitinh } for pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1373476863.253:199924): avc: denied { siginh } for pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1373476863.253:199924): avc: denied { noatsecure } for pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1373476863.260:199925): avc: denied { getattr } for pid=21313 comm="mkhomedir" path="pipe:[14448611]" dev=pipefs ino=14448611 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1373476863.262:199926): avc: denied { search } for pid=21313 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373476863.263:199927): avc: denied { getattr } for pid=21313 comm="mkhomedir" path="/home" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373476863.372:199928): avc: denied { write } for pid=21313 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373476863.372:199928): avc: denied { add_name } for pid=21313 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373476863.372:199928): avc: denied { create } for pid=21313 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.372:199929): avc: denied { setattr } for pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.384:199930): avc: denied { search } for pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.384:199930): avc: denied { write } for pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.384:199930): avc: denied { add_name } for pid=21313 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1373476863.384:199930): avc: denied { create } for pid=21313 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1373476863.384:199930): avc: denied { write open } for pid=21313 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1572866 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1373476863.385:199931): avc: denied { setattr } for pid=21313 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1572866 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1373476863.385:199932): avc: denied { fowner } for pid=21313 comm="mkhomedir" capability=3 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1373476863.385:199932): avc: denied { fsetid } for pid=21313 comm="mkhomedir" capability=4 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1373476863.385:199933): avc: denied { create } for pid=21313 comm="mkhomedir" name=".procmailrc" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1373476863.385:199933): avc: denied { write open } for pid=21313 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1572868 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1373476863.386:199934): avc: denied { setattr } for pid=21313 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1572868 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1373476863.388:199935): avc: denied { sigchld } for pid=11357 comm="oddjobd" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process type=USER_AVC msg=audit(1373476864.392:199936): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.55 spid=11356 tpid=20976 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' I'm kind of surprised that everything runs under the dovecot_auth_t context. I've tried created a policy module for now, but it doesn't appear to be allowing it to label the newly created directory properly. Seeing: type=AVC msg=audit(1373477740.405:200297): avc: denied { create } for pid=22682 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373478197.547:200432): avc: denied { setattr } for pid=23183 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373478435.653:200501): avc: denied { create } for pid=23455 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1373478435.687:200504): avc: denied { write } for pid=23456 comm="imap" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1373478435.688:200505): avc: denied { write } for pid=23456 comm="imap" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir I'm also seeing periodic messages like: type=AVC msg=audit(1373478241.874:200455): avc: denied { getattr } for pid=23169 comm="auth" path="/home/schuck" dev=dm-2 ino=262147 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir in normal operation with this configuration. Looks like the pam session checks the home directory now. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-195.el6_4.12.noarch
With dontaudit disabled, I'm also seeing the following: type=AVC msg=audit(1373478897.604:200700): avc: denied { search } for pid=23886 comm="mkhomedir" name="files" dev=dm-0 ino=2768 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir type=AVC msg=audit(1373478897.604:200701): avc: denied { read } for pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1373478897.604:200701): avc: denied { open } for pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1373478897.604:200702): avc: denied { getattr } for pid=23886 comm="mkhomedir" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1373478897.705:200703): avc: denied { read write } for pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1373478897.705:200703): avc: denied { open } for pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1373478897.706:200704): avc: denied { check_context } for pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security type=AVC msg=audit(1373478897.706:200705): avc: denied { setfscreate } for pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process which appear to be mkhomedir looking up the proper contexts to use.
This is what I ended up with: module dovecot_mkhomedir 1.0; require { type home_root_t; type system_dbusd_var_run_t; type security_t; type user_home_dir_t; type dovecot_auth_t; type user_home_t; type system_dbusd_t; type selinux_config_t; type procmail_home_t; type oddjob_mkhomedir_exec_t; type default_context_t; type file_context_t; type oddjob_t; class fifo_file { read write getattr }; class process { siginh sigchld noatsecure setfscreate transition rlimitinh }; class unix_stream_socket connectto; class dbus send_msg; class capability { fowner fsetid }; class file { write getattr entrypoint setattr read create open }; class sock_file write; class security check_context; class dir { search setattr create write getattr add_name }; } #============= dovecot_auth_t ============== allow dovecot_auth_t default_context_t:dir search; allow dovecot_auth_t file_context_t:dir search; allow dovecot_auth_t file_context_t:file { read getattr open }; #!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following types: # pcscd_var_run_t, postfix_private_t, dovecot_var_run_t, tmp_t, dovecot_auth_tmp_t allow dovecot_auth_t home_root_t:dir { write search getattr add_name }; allow dovecot_auth_t oddjob_mkhomedir_exec_t:file entrypoint; allow dovecot_auth_t oddjob_t:dbus send_msg; allow dovecot_auth_t oddjob_t:fifo_file { read write getattr }; allow dovecot_auth_t oddjob_t:process sigchld; #!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types: # pcscd_var_run_t, dovecot_auth_tmp_t allow dovecot_auth_t procmail_home_t:file { write create open setattr }; #!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types: # faillog_t, initrc_var_run_t, pcscd_var_run_t, dovecot_auth_tmp_t allow dovecot_auth_t security_t:file { read write open }; allow dovecot_auth_t security_t:security check_context; allow dovecot_auth_t self:capability { fowner fsetid }; allow dovecot_auth_t self:process setfscreate; allow dovecot_auth_t selinux_config_t:dir search; allow dovecot_auth_t selinux_config_t:file { read getattr open }; allow dovecot_auth_t system_dbusd_t:dbus send_msg; allow dovecot_auth_t system_dbusd_t:unix_stream_socket connectto; allow dovecot_auth_t system_dbusd_var_run_t:dir search; allow dovecot_auth_t system_dbusd_var_run_t:sock_file write; #!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following type: # dovecot_auth_tmp_t allow dovecot_auth_t user_home_dir_t:dir { write search setattr create getattr add_name }; #!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types: # pcscd_var_run_t, dovecot_auth_tmp_t allow dovecot_auth_t user_home_t:file { write create open setattr }; #============= oddjob_t ============== allow oddjob_t dovecot_auth_t:dbus send_msg; allow oddjob_t dovecot_auth_t:process { siginh rlimitinh transition noatsecure };
Would the following have does it all for you? optional_policy(` dbus_system_bus_client(dovecot_auth_t) optional_policy(` oddjob_dbus_chat(dovecot_auth_t) oddjob_domtrans_mkhomedir(dovecot_auth_t) ') ')
That seems likely. How could I test it out?
policy_module(mydovecot, 1.0) gen_require(` type dovecot_auth_t; ') optional_policy(` dbus_system_bus_client(dovecot_auth_t) optional_policy(` oddjob_dbus_chat(dovecot_auth_t) oddjob_domtrans_mkhomedir(dovecot_auth_t) ') ') Create a mydovecot.te file that looks like this. make -f /usr/share/selinux/devel/Makefile mydovecot.pp semodule -i mydovecot.pp Should do the trick. Would need to remove your custom policy to make sure it works. I checked in code like this in Fedora.
Sorry for the delay. I still needed to allow: type=AVC msg=audit(1374524030.963:126478): avc: denied { search } for pid=16235 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir for dovecot to check if the home directory existed or not before creating it. Otherwise it fails to create it. Also, I still get: type=AVC msg=audit(1374524303.673:126581): avc: denied { getattr } for pid=16235 comm="auth" path="/home/milliff" dev=dm-2 ino=2490370 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir as users log in and dovecot checks out their home directory, although I don't know if this causes any problems or not. It doesn't appear to.
f2909eace947c015a0a9a6dc2d29cbdebc6695af adds this to git.
With 3.7.19-210.el6 I still see: type=AVC msg=audit(1375906813.610:434833): avc: denied { search } for pid=30211 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir and: type=AVC msg=audit(1375906876.518:434847): avc: denied { write } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key type=AVC msg=audit(1375906876.519:434848): avc: denied { search } for pid=31655 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1375906876.520:434850): avc: denied { write } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key type=AVC msg=audit(1375906876.520:434850): avc: denied { setattr } for pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key and the home directory is not created. Note also a but in the selinux-policy-targeted %post script: semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav2>/dev/null Need a space before the 2.
Does it work with a local policy from these AVC msgs? Fixing spec file problem. Thank you for testing.
I was using this and it was working: policy_module(mydovecot, 1.0) gen_require(` type dovecot_auth_t; type user_home_dir_t; type home_root_t; class dir { search getattr }; ') optional_policy(` dbus_system_bus_client(dovecot_auth_t) optional_policy(` oddjob_dbus_chat(dovecot_auth_t) oddjob_domtrans_mkhomedir(dovecot_auth_t) ') ') allow dovecot_auth_t home_root_t:dir { search }; allow dovecot_auth_t user_home_dir_t:dir { getattr }; With -211 I see: type=AVC msg=audit(1376065073.994:510880): avc: denied { search } for pid=11371 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir and it fails.
And are you getting more AVC in permissive mode?
With -213 in permissive: type=AVC msg=audit(1377711892.246:38895855): avc: denied { search } for pid=16815 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir type=AVC msg=audit(1377711892.246:38895855): avc: denied { write } for pid=16815 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1377711892.246:38895855): avc: denied { connectto } for pid=16815 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=USER_AVC msg=audit(1377711892.259:38895856): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=16815 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1377711892.266:38895857): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=16815 tpid=5564 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1377711892.331:38895858): avc: denied { transition } for pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1377711892.331:38895858): avc: denied { entrypoint } for pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file type=AVC msg=audit(1377711892.331:38895858): avc: denied { read } for pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1377711892.331:38895858): avc: denied { write } for pid=24820 comm="mkhomedir" path="pipe:[61970951]" dev=pipefs ino=61970951 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1377711892.331:38895858): avc: denied { rlimitinh } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1377711892.331:38895858): avc: denied { siginh } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1377711892.331:38895858): avc: denied { noatsecure } for pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process type=AVC msg=audit(1377711892.344:38895859): avc: denied { getattr } for pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1377711892.456:38895860): avc: denied { write } for pid=24820 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1377711892.456:38895860): avc: denied { add_name } for pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1377711892.456:38895860): avc: denied { create } for pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.471:38895861): avc: denied { setattr } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.478:38895862): avc: denied { search } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.478:38895862): avc: denied { write } for pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.478:38895862): avc: denied { add_name } for pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1377711892.478:38895862): avc: denied { create } for pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1377711892.478:38895862): avc: denied { write open } for pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1377711892.478:38895863): avc: denied { setattr } for pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1377711892.478:38895864): avc: denied { fowner } for pid=24820 comm="mkhomedir" capability=3 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1377711892.478:38895864): avc: denied { fsetid } for pid=24820 comm="mkhomedir" capability=4 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1377711892.479:38895865): avc: denied { create } for pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1377711892.479:38895865): avc: denied { write open } for pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1377711892.479:38895866): avc: denied { setattr } for pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file type=AVC msg=audit(1377711892.481:38895867): avc: denied { sigchld } for pid=5565 comm="oddjobd" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process type=USER_AVC msg=audit(1377711893.486:38895873): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.170 spid=5564 tpid=16815 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' dovecot 1.11.1
What is path to mkhomedir in your case + labeling?
-rwxr-xr-x. root root system_u:object_r:oddjob_mkhomedir_exec_t:s0 /usr/libexec/oddjob/mkhomedir It seems as if the transition that should be specified by: oddjob_domtrans_mkhomedir(dovecot_auth_t) isn't happening?
Yes, for a reason. type=AVC msg=audit(1377711892.479:38895865): avc: denied { create } for pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html