subject:"\[Dovecot\] deliver triggering SELinux AVC denials"

Re: [Dovecot] deliver triggering SELinux AVC denials

2008-01-10 Thread Timo Sirainen

On Tue, 2008-01-01 at 21:36 -0600, [EMAIL PROTECTED] wrote:
> >From: Timo Sirainen <[EMAIL PROTECTED]>
> >Date: 2008/01/01 Tue PM 09:18:05 CST
> >To: Gerry Reno <[EMAIL PROTECTED]>
> >Cc: dovecot@dovecot.org
> >Subject: Re: [Dovecot] deliver triggering SELinux AVC denials
> ...
> >Set dotlock_use_excl=yes to see what file it's really wanting to create.
> 
> Ok, did that.  And looking at all the alerts it appears to be any file that 
> deliver is trying to write under /home/vmail.
..
> but for some reason even though deliver is setup to run as vmail:vmail it is 
> still having permission problems.

Well, Dovecot's default SELinux permissions often seem to disallow
writing under /home..



signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] deliver triggering SELinux AVC denials

2008-01-01 Thread greno

>From: Timo Sirainen <[EMAIL PROTECTED]>
>Date: 2008/01/01 Tue PM 09:18:05 CST
>To: Gerry Reno <[EMAIL PROTECTED]>
>Cc: dovecot@dovecot.org
>Subject: Re: [Dovecot] deliver triggering SELinux AVC denials
...
>Set dotlock_use_excl=yes to see what file it's really wanting to create.

Ok, did that.  And looking at all the alerts it appears to be any file that 
deliver is trying to write under /home/vmail.

My users are all virtual and they all exist like:
/home/vmail/example.com/john

typical permissions:
-rw--- 1 vmail vmail   464 2008-01-01 20:06 dovecot.index.log

but for some reason even though deliver is setup to run as vmail:vmail it is 
still having permission problems.

dovecot   unix  -   n   n   -   -   pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d 
${recipient}




Gerry

Re: [Dovecot] deliver triggering SELinux AVC denials

2008-01-01 Thread Timo Sirainen

On Tue, 2008-01-01 at 22:06 -0500, Gerry Reno wrote:
> I setup postfix/dovecot on a new machine and now all works well with the 
> small exception of dovecot triggering selinux avc denials on some 
> temp... files here is a sample alert:
> 
> Summary
> SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t)
> "link" to temp.localhost.678.40caaf5592891c46 (user_home_dir_t).

Set dotlock_use_excl=yes to see what file it's really wanting to create.



signature.asc
Description: This is a digitally signed message part

[Dovecot] deliver triggering SELinux AVC denials

2008-01-01 Thread Gerry Reno

I setup postfix/dovecot on a new machine and now all works well with the 
small exception of dovecot triggering selinux avc denials on some 
temp... files here is a sample alert:


Summary
   SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t)
   "link" to temp.localhost.678.40caaf5592891c46 (user_home_dir_t).

Detailed Description
   SELinux denied access requested by /usr/libexec/dovecot/deliver. It 
is not
   expected that this access is required by 
/usr/libexec/dovecot/deliver and
   this access may signal an intrusion attempt. It is also possible 
that the

   specific version or configuration of the application is causing it to
   require additional access.

Allowing Access
   Sometimes labeling problems can cause SELinux denials.  You could try to
   restore the default system file context for
   temp.localhost.678.40caaf5592891c46, restorecon -v
   temp.localhost.678.40caaf5592891c46 If this does not work, there is
   currently no automatic way to allow this access. Instead,  you can 
generate

   a local policy module to allow this access - see
   http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can 
disable

   SELinux protection altogether. Disabling SELinux protection is not
   recommended. Please file a 
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi

   against this package.

Additional Information   


Source Contextuser_u:system_r:dovecot_deliver_t
Target Contextuser_u:object_r:user_home_dir_t
Target Objectstemp.localhost.678.40caaf5592891c46 [ file ]
Affected RPM Packages dovecot-1.0.7-16.fc7 [application]
Policy RPMselinux-policy-2.6.4-63.fc7
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModePermissive
Plugin Name   plugins.catchall_file
Host Name localhost
Platform  Linux localhost 2.6.23.8-34.fc7 #1 SMP Thu Nov
 22 23:05:33 EST 2007 i686 athlon
Alert Count   1
First SeenTue 01 Jan 2008 09:29:35 PM EST
Last Seen Tue 01 Jan 2008 09:29:35 PM EST
Local ID  507dd6a2-da46-4541-8c10-a0771bc85042
Line Numbers 

Raw Audit Messages   


avc: denied { link } for comm="deliver" dev=dm-0 egid=5000 euid=5000
exe="/usr/libexec/dovecot/deliver" exit=0 fsgid=5000 fsuid=5000 gid=5000 
items=0

name="temp.localhost.678.40caaf5592891c46" pid=678
scontext=user_u:system_r:dovecot_deliver_t:s0 sgid=5000
subj=user_u:system_r:dovecot_deliver_t:s0 suid=5000 tclass=file
tcontext=user_u:object_r:user_home_dir_t:s0 tty=(none) uid=5000

and 5000 is user vmail.

When I look for these files that it is complaining about they are never 
in the filesystem.  I get about 8 alerts with every email that is 
delivered.  Right now I have SELinux set to permissive so that the mail 
gets delivered but I would like to find the cause of this problem so 
that I can set it back to enforcing.




Gerry

Re: [Dovecot] deliver triggering SELinux AVC denials

Re: [Dovecot] deliver triggering SELinux AVC denials

Re: [Dovecot] deliver triggering SELinux AVC denials

[Dovecot] deliver triggering SELinux AVC denials

4 matches

Site Navigation

Mail list logo

Footer information