983217 – SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user's home directory

Bug 983217 - SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user's home directory

Summary: SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1005246
TreeView+	depends on / blocked

Reported:	2013-07-10 17:50 UTC by Orion Poplawski
Modified:	2013-11-21 10:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-230.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1005246 (view as bug list)
Environment:
Last Closed:	2013-11-21 10:32:25 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Orion Poplawski 2013-07-10 17:50:50 UTC

Description of problem:

I need to be able to create a user's home directory when they log into dovecot.  I've enabled pam_oddjob_mkhomedir and configured dovedot to initialize a PAM session.  However in enforcing mode dovecot fails to create the home directory and I get the following avc:

type=AVC msg=audit(1373476838.413:199907): avc:  denied  { search } for  pid=20976 comm="auth" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

which seems to be the dovecot auth command (perhaps running pam_oddjob_mkhomedir.so code) trying to check and see if the home directory exists.

In permissive mode, I get the following denials:

type=AVC msg=audit(1373476863.232:199921): avc:  denied  { search } for  pid=20976 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373476863.232:199921): avc:  denied  { write } for  pid=20976 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1373476863.232:199921): avc:  denied  { connectto } for  pid=20976 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1373476863.243:199922): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=20976 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1373476863.245:199923): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=20976 tpid=11356 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { transition } for  pid=21313 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { entrypoint } for  pid=21313 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { read } for  pid=21313 comm="mkhomedir" path="pipe:[14448611]" dev=pipefs ino=14448611 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { write } for  pid=21313 comm="mkhomedir" path="pipe:[14448612]" dev=pipefs ino=14448612 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { rlimitinh } for  pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { siginh } for  pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1373476863.253:199924): avc:  denied  { noatsecure } for  pid=21313 comm="mkhomedir" scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1373476863.260:199925): avc:  denied  { getattr } for  pid=21313 comm="mkhomedir" path="pipe:[14448611]" dev=pipefs ino=14448611 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1373476863.262:199926): avc:  denied  { search } for  pid=21313 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373476863.263:199927): avc:  denied  { getattr } for  pid=21313 comm="mkhomedir" path="/home" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373476863.372:199928): avc:  denied  { write } for  pid=21313 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373476863.372:199928): avc:  denied  { add_name } for  pid=21313 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373476863.372:199928): avc:  denied  { create } for  pid=21313 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.372:199929): avc:  denied  { setattr } for  pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { search } for  pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { write } for  pid=21313 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { add_name } for  pid=21313 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { create } for  pid=21313 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.384:199930): avc:  denied  { write open } for  pid=21313 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1572866 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.385:199931): avc:  denied  { setattr } for  pid=21313 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1572866 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.385:199932): avc:  denied  { fowner } for  pid=21313 comm="mkhomedir" capability=3  scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1373476863.385:199932): avc:  denied  { fsetid } for  pid=21313 comm="mkhomedir" capability=4  scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1373476863.385:199933): avc:  denied  { create } for  pid=21313 comm="mkhomedir" name=".procmailrc" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.385:199933): avc:  denied  { write open } for  pid=21313 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1572868 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.386:199934): avc:  denied  { setattr } for  pid=21313 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1572868 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1373476863.388:199935): avc:  denied  { sigchld } for  pid=11357 comm="oddjobd" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process
type=USER_AVC msg=audit(1373476864.392:199936): user pid=5182 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.55 spid=11356 tpid=20976 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I'm kind of surprised that everything runs under the dovecot_auth_t context.

I've tried created a policy module for now, but it doesn't appear to be allowing it to label the newly created directory properly.  Seeing:

type=AVC msg=audit(1373477740.405:200297): avc:  denied  { create } for  pid=22682 comm="mkhomedir" name="schuck" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373478197.547:200432): avc:  denied  { setattr } for  pid=23183 comm="mkhomedir" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373478435.653:200501): avc:  denied  { create } for  pid=23455 comm="mkhomedir" name=".bash_profile" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
type=AVC msg=audit(1373478435.687:200504): avc:  denied  { write } for  pid=23456 comm="imap" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1373478435.688:200505): avc:  denied  { write } for  pid=23456 comm="imap" name="schuck" dev=dm-2 ino=1572865 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir


I'm also seeing periodic messages like:

type=AVC msg=audit(1373478241.874:200455): avc:  denied  { getattr } for  pid=23169 comm="auth" path="/home/schuck" dev=dm-2 ino=262147 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

in normal operation with this configuration.  Looks like the pam session checks the home directory now.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.12.noarch

Comment 2 Orion Poplawski 2013-07-10 17:57:31 UTC

With dontaudit disabled, I'm also seeing the following:

type=AVC msg=audit(1373478897.604:200700): avc:  denied  { search } for  pid=23886 comm="mkhomedir" name="files" dev=dm-0 ino=2768 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1373478897.604:200701): avc:  denied  { read } for  pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.604:200701): avc:  denied  { open } for  pid=23886 comm="mkhomedir" name="file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.604:200702): avc:  denied  { getattr } for  pid=23886 comm="mkhomedir" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-0 ino=15248 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1373478897.705:200703): avc:  denied  { read write } for  pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1373478897.705:200703): avc:  denied  { open } for  pid=23886 comm="mkhomedir" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1373478897.706:200704): avc:  denied  { check_context } for  pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
type=AVC msg=audit(1373478897.706:200705): avc:  denied  { setfscreate } for  pid=23886 comm="mkhomedir" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process

which appear to be mkhomedir looking up the proper contexts to use.

Comment 3 Orion Poplawski 2013-07-10 18:05:13 UTC

This is what I ended up with:

module dovecot_mkhomedir 1.0;

require {
        type home_root_t;
        type system_dbusd_var_run_t;
        type security_t;
        type user_home_dir_t;
        type dovecot_auth_t;
        type user_home_t;
        type system_dbusd_t;
        type selinux_config_t;
        type procmail_home_t;
        type oddjob_mkhomedir_exec_t;
        type default_context_t;
        type file_context_t;
        type oddjob_t;
        class fifo_file { read write getattr };
        class process { siginh sigchld noatsecure setfscreate transition rlimitinh };
        class unix_stream_socket connectto;
        class dbus send_msg;
        class capability { fowner fsetid };
        class file { write getattr entrypoint setattr read create open };
        class sock_file write;
        class security check_context;
        class dir { search setattr create write getattr add_name };
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t default_context_t:dir search;
allow dovecot_auth_t file_context_t:dir search;
allow dovecot_auth_t file_context_t:file { read getattr open };
#!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following types:
# pcscd_var_run_t, postfix_private_t, dovecot_var_run_t, tmp_t, dovecot_auth_tmp_t

allow dovecot_auth_t home_root_t:dir { write search getattr add_name };
allow dovecot_auth_t oddjob_mkhomedir_exec_t:file entrypoint;
allow dovecot_auth_t oddjob_t:dbus send_msg;
allow dovecot_auth_t oddjob_t:fifo_file { read write getattr };
allow dovecot_auth_t oddjob_t:process sigchld;
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# pcscd_var_run_t, dovecot_auth_tmp_t

allow dovecot_auth_t procmail_home_t:file { write create open setattr };
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# faillog_t, initrc_var_run_t, pcscd_var_run_t, dovecot_auth_tmp_t

allow dovecot_auth_t security_t:file { read write open };
allow dovecot_auth_t security_t:security check_context;
allow dovecot_auth_t self:capability { fowner fsetid };
allow dovecot_auth_t self:process setfscreate;
allow dovecot_auth_t selinux_config_t:dir search;
allow dovecot_auth_t selinux_config_t:file { read getattr open };
allow dovecot_auth_t system_dbusd_t:dbus send_msg;
allow dovecot_auth_t system_dbusd_t:unix_stream_socket connectto;
allow dovecot_auth_t system_dbusd_var_run_t:dir search;
allow dovecot_auth_t system_dbusd_var_run_t:sock_file write;
#!!!! The source type 'dovecot_auth_t' can write to a 'dir' of the following type:
# dovecot_auth_tmp_t

allow dovecot_auth_t user_home_dir_t:dir { write search setattr create getattr add_name };
#!!!! The source type 'dovecot_auth_t' can write to a 'file' of the following types:
# pcscd_var_run_t, dovecot_auth_tmp_t

allow dovecot_auth_t user_home_t:file { write create open setattr };

#============= oddjob_t ==============
allow oddjob_t dovecot_auth_t:dbus send_msg;
allow oddjob_t dovecot_auth_t:process { siginh rlimitinh transition noatsecure };

Comment 4 Daniel Walsh 2013-07-10 22:11:31 UTC

Would the following have does it all for you?

optional_policy(`
	dbus_system_bus_client(dovecot_auth_t)
	optional_policy(`
		oddjob_dbus_chat(dovecot_auth_t)
		oddjob_domtrans_mkhomedir(dovecot_auth_t)
	')
')

Comment 5 Orion Poplawski 2013-07-10 22:15:59 UTC

That seems likely.  How could I test it out?

Comment 6 Daniel Walsh 2013-07-10 23:52:15 UTC

policy_module(mydovecot, 1.0)

gen_require(`
type dovecot_auth_t;
')
optional_policy(`
	dbus_system_bus_client(dovecot_auth_t)
	optional_policy(`
		oddjob_dbus_chat(dovecot_auth_t)
		oddjob_domtrans_mkhomedir(dovecot_auth_t)
	')
')

Create a mydovecot.te file that looks like this.

make -f /usr/share/selinux/devel/Makefile mydovecot.pp
semodule -i mydovecot.pp

Should do the trick.

Would need to remove your custom policy to make sure it works.

I checked in code like this in Fedora.

Comment 7 Orion Poplawski 2013-07-22 20:22:49 UTC

Sorry for the delay.  I still needed to allow:

type=AVC msg=audit(1374524030.963:126478): avc:  denied  { search } for  pid=16235 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

for dovecot to check if the home directory existed or not before creating it.  Otherwise it fails to create it.

Also, I still get:

type=AVC msg=audit(1374524303.673:126581): avc:  denied  { getattr } for  pid=16235 comm="auth" path="/home/milliff" dev=dm-2 ino=2490370 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

as users log in and dovecot checks out their home directory, although I don't know if this causes any problems or not.  It doesn't appear to.

Comment 8 Daniel Walsh 2013-07-24 22:16:54 UTC

f2909eace947c015a0a9a6dc2d29cbdebc6695af adds this to git.

Comment 9 Orion Poplawski 2013-08-07 20:27:17 UTC

With 3.7.19-210.el6 I still see:

type=AVC msg=audit(1375906813.610:434833): avc:  denied  { search } for  pid=30211 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

and:

type=AVC msg=audit(1375906876.518:434847): avc:  denied  { write } for  pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key
type=AVC msg=audit(1375906876.519:434848): avc:  denied  { search } for  pid=31655 comm="auth" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1375906876.520:434850): avc:  denied  { write } for  pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key
type=AVC msg=audit(1375906876.520:434850): avc:  denied  { setattr } for  pid=31655 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=key

and the home directory is not created.

Note also a but in the selinux-policy-targeted %post script:

   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav2>/dev/null

Need a space before the 2.

Comment 11 Miroslav Grepl 2013-08-08 06:05:41 UTC

Does it work with a local policy from these AVC msgs?

Fixing spec file problem. 

Thank you for testing.

Comment 12 Orion Poplawski 2013-08-09 16:20:24 UTC

I was using this and it was working:

policy_module(mydovecot, 1.0)

gen_require(`
type dovecot_auth_t;
type user_home_dir_t;
type home_root_t;
class dir { search getattr };
')
optional_policy(`
    dbus_system_bus_client(dovecot_auth_t)
    optional_policy(`
        oddjob_dbus_chat(dovecot_auth_t)
        oddjob_domtrans_mkhomedir(dovecot_auth_t)
    ')
')

allow dovecot_auth_t home_root_t:dir { search };
allow dovecot_auth_t user_home_dir_t:dir { getattr };



With -211 I see:

type=AVC msg=audit(1376065073.994:510880): avc:  denied  { search } for  pid=11371 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir

and it fails.

Comment 13 Miroslav Grepl 2013-08-19 11:47:57 UTC

And are you getting more AVC in permissive mode?

Comment 14 Orion Poplawski 2013-08-28 17:47:15 UTC

With -213 in permissive:

type=AVC msg=audit(1377711892.246:38895855): avc:  denied  { search } for  pid=16815 comm="auth" name="dbus" dev=dm-0 ino=761 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1377711892.246:38895855): avc:  denied  { write } for  pid=16815 comm="auth" name="system_bus_socket" dev=dm-0 ino=148 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1377711892.246:38895855): avc:  denied  { connectto } for  pid=16815 comm="auth" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1377711892.259:38895856): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=16815 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1377711892.266:38895857): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=16815 tpid=5564 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { transition } for  pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { entrypoint } for  pid=24820 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev=dm-0 ino=148928 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { read } for  pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { write } for  pid=24820 comm="mkhomedir" path="pipe:[61970951]" dev=pipefs ino=61970951 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { rlimitinh } for  pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { siginh } for  pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.331:38895858): avc:  denied  { noatsecure } for  pid=24820 comm="mkhomedir" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process
type=AVC msg=audit(1377711892.344:38895859): avc:  denied  { getattr } for  pid=24820 comm="mkhomedir" path="pipe:[61970950]" dev=pipefs ino=61970950 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1377711892.456:38895860): avc:  denied  { write } for  pid=24820 comm="mkhomedir" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1377711892.456:38895860): avc:  denied  { add_name } for  pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1377711892.456:38895860): avc:  denied  { create } for  pid=24820 comm="mkhomedir" name="schuck" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.471:38895861): avc:  denied  { setattr } for  pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { search } for  pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { write } for  pid=24820 comm="mkhomedir" name="schuck" dev=dm-2 ino=1835017 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { add_name } for  pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { create } for  pid=24820 comm="mkhomedir" name=".bash_profile" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895862): avc:  denied  { write open } for  pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895863): avc:  denied  { setattr } for  pid=24820 comm="mkhomedir" name=".bash_profile" dev=dm-2 ino=1835021 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.478:38895864): avc:  denied  { fowner } for  pid=24820 comm="mkhomedir" capability=3  scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1377711892.478:38895864): avc:  denied  { fsetid } for  pid=24820 comm="mkhomedir" capability=4  scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1377711892.479:38895865): avc:  denied  { create } for  pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.479:38895865): avc:  denied  { write open } for  pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.479:38895866): avc:  denied  { setattr } for  pid=24820 comm="mkhomedir" name=".procmailrc" dev=dm-2 ino=1835023 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file
type=AVC msg=audit(1377711892.481:38895867): avc:  denied  { sigchld } for  pid=5565 comm="oddjobd" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process
type=USER_AVC msg=audit(1377711893.486:38895873): user pid=5129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.170 spid=5564 tpid=16815 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

dovecot 1.11.1

Comment 15 Miroslav Grepl 2013-08-29 13:31:10 UTC

What is path to mkhomedir in your case + labeling?

Comment 16 Orion Poplawski 2013-08-29 14:53:28 UTC

-rwxr-xr-x. root root system_u:object_r:oddjob_mkhomedir_exec_t:s0 /usr/libexec/oddjob/mkhomedir

It seems as if the transition that should be specified by:

 		oddjob_domtrans_mkhomedir(dovecot_auth_t)

isn't happening?

Comment 17 Miroslav Grepl 2013-09-03 12:02:54 UTC

Yes, for a reason.

type=AVC msg=audit(1377711892.479:38895865): avc:  denied  { create } for  pid=24820 comm="mkhomedir" name=".procmailrc" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:procmail_home_t:s0 tclass=file

Comment 19 errata-xmlrpc 2013-11-21 10:32:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.