Re: selinux issue with dovecot after upgrade from F27 to F28
Oops, I forgot to answer the question about the dovecot version: it's dovecot-2.2.35-2.fc28.x86_64, which is the latest available from the repos for F28. George pgpKfgfx2l2Yn.pgp Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: selinux issue with dovecot after upgrade from F27 to F28
On Thu, 3 May 2018 20:12:06 +0200, Lukas Vrabec wrote: > > > > Hi George, > > > > It's bug, What is your version of dovecot? We made some changes in > > policy to be more tighten, but Bug is on dovecot side. > > > > Check following comment: > https://bugzilla.redhat.com/show_bug.cgi?id=1560704#c7 > > > > > Lukas. > > > > Ah, thanks. I've added myself to the CC list. The sealert popups are frequent enough to be annoying; I guess the best approach is to create the selinux local policy for now and get rid of it when the bug is fixed? George pgpIbkLAvHGdD.pgp Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: selinux issue with dovecot after upgrade from F27 to F28
On 05/03/2018 08:07 PM, Lukas Vrabec wrote: > On 05/03/2018 07:20 PM, George Avrunin wrote: >> I upgraded my office machine from F27 to F28 last night, using dnf >> system-upgrade. In most respects, the upgrade went fine. (There are >> some annoyances with sddm, but once I found out how to get rid of the >> user list in gdm, going back to gdm seems to be fine.) >> >> But I'm getting constant notices from selinux about AVC denials that >> seem to have to do with dovecot doing indexing. (I run dovecot on >> this machine as an imap server for my personal mail.) The >> setroubleshoot details window has: >> -- >> SELinux is preventing dovecot from using the dac_override capability. >> >> * Plugin dac_override (91.4 confidence) suggests >> ** >> >> If you want to help identify if domain needs this access or you have a file >> with the wrong permissions on your system >> Then turn on full auditing to get path information about the offending file >> and generate the error again. >> Do >> >> Turn on full auditing >> # auditctl -w /etc/shadow -p w >> Try to recreate AVC. Then execute >> # ausearch -m avc -ts recent >> If you see PATH record check ownership/permissions on file, and fix it, >> otherwise report as a bugzilla. >> >> * Plugin catchall (9.59 confidence) suggests >> ** >> >> If you believe that dovecot should have the dac_override capability by >> default. >> Then you should report this as a bug. >> You can generate a local policy module to allow this access. >> Do >> allow this access for now by executing: >> # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot >> # semodule -X 300 -i my-dovecot.pp >> >> Additional Information: >> Source Contextsystem_u:system_r:dovecot_t:s0 >> Target Contextsystem_u:system_r:dovecot_t:s0 >> Target ObjectsUnknown [ capability ] >> Sourcedovecot >> Source Path dovecot >> Port >> Host ext.math.umass.edu >> Source RPM Packages >> Target RPM Packages >> Policy RPMselinux-policy-3.14.1-24.fc28.noarch >> Selinux Enabled True >> Policy Type targeted >> Enforcing ModeEnforcing >> Host Name ext.math.umass.edu >> Platform Linux ext.math.umass.edu >> 4.16.5-300.fc28.x86_64 #1 >> SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64 >> Alert Count 122 >> First Seen2018-05-03 02:21:04 EDT >> Last Seen 2018-05-03 12:52:59 EDT >> Local ID 019bb172-93a2-4c4c-b0fc-21a2c16e138b >> >> Raw Audit Messages >> type=AVC msg=audit(1525366379.312:365): avc: denied { dac_override } for >> pid=9354 comm="indexer-worker" capability=1 >> scontext=system_u:system_r:dovecot_t:s0 >> tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 >> >> >> Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override >> -- >> I ran ausearch as suggested but I don't see any mention of specific file. >> I haven't found anything about this issue in a web search or on Common >> Bugs. >> >> I guess I can create a policy module to get rid of these, but I wanted >> to check on whether there's something wrong with my setup before I do >> that. I did a full relabel (with /.autorelabel and a reboot; it >> complained about conflicts between rpms in /var/cache/system-upgrade >> and /var/lib/system-upgrade, but seemed to finish ok) and that didn't >> help. This machine has been upgraded through several iterations of >> upgrades from about 4 years ago (Fedora 19 or 20?), so there might >> well be some issues with the selinux contexts left over somewhere. I >> assume this is the kind of indexing that's reported in the daily >> logwatch mail, with something like "dovecot[2441]: >> indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs >> 11991..11992): 1 Time(s)", so that the files causing the problem are >> in my home directory under ~/Maildir. These files have context >> "system_u:object_r:mail_home_rw_t:s0". >> >> Thanks for any suggestions. >> > > Hi George, > > It's bug, What is your version of dovecot? We made some changes in > policy to be more tighten, but Bug is on dovecot side. > Check following comment: https://bugzilla.redhat.com/show_bug.cgi?id=1560704#c7 > Lukas. > > >> George >> >> >> >> >> ___ >> users mailing list -- users@lists.fedoraproject.org >> To unsubscribe send an email to users-le...@lists.fedoraproject.org >> > > > > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscri
Re: selinux issue with dovecot after upgrade from F27 to F28
On 05/03/2018 07:20 PM, George Avrunin wrote: > I upgraded my office machine from F27 to F28 last night, using dnf > system-upgrade. In most respects, the upgrade went fine. (There are > some annoyances with sddm, but once I found out how to get rid of the > user list in gdm, going back to gdm seems to be fine.) > > But I'm getting constant notices from selinux about AVC denials that > seem to have to do with dovecot doing indexing. (I run dovecot on > this machine as an imap server for my personal mail.) The > setroubleshoot details window has: > -- > SELinux is preventing dovecot from using the dac_override capability. > > * Plugin dac_override (91.4 confidence) suggests ** > > If you want to help identify if domain needs this access or you have a file > with the wrong permissions on your system > Then turn on full auditing to get path information about the offending file > and generate the error again. > Do > > Turn on full auditing > # auditctl -w /etc/shadow -p w > Try to recreate AVC. Then execute > # ausearch -m avc -ts recent > If you see PATH record check ownership/permissions on file, and fix it, > otherwise report as a bugzilla. > > * Plugin catchall (9.59 confidence) suggests ** > > If you believe that dovecot should have the dac_override capability by > default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot > # semodule -X 300 -i my-dovecot.pp > > Additional Information: > Source Contextsystem_u:system_r:dovecot_t:s0 > Target Contextsystem_u:system_r:dovecot_t:s0 > Target ObjectsUnknown [ capability ] > Sourcedovecot > Source Path dovecot > Port > Host ext.math.umass.edu > Source RPM Packages > Target RPM Packages > Policy RPMselinux-policy-3.14.1-24.fc28.noarch > Selinux Enabled True > Policy Type targeted > Enforcing ModeEnforcing > Host Name ext.math.umass.edu > Platform Linux ext.math.umass.edu 4.16.5-300.fc28.x86_64 > #1 > SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64 > Alert Count 122 > First Seen2018-05-03 02:21:04 EDT > Last Seen 2018-05-03 12:52:59 EDT > Local ID 019bb172-93a2-4c4c-b0fc-21a2c16e138b > > Raw Audit Messages > type=AVC msg=audit(1525366379.312:365): avc: denied { dac_override } for > pid=9354 comm="indexer-worker" capability=1 > scontext=system_u:system_r:dovecot_t:s0 > tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 > > > Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override > -- > I ran ausearch as suggested but I don't see any mention of specific file. > I haven't found anything about this issue in a web search or on Common > Bugs. > > I guess I can create a policy module to get rid of these, but I wanted > to check on whether there's something wrong with my setup before I do > that. I did a full relabel (with /.autorelabel and a reboot; it > complained about conflicts between rpms in /var/cache/system-upgrade > and /var/lib/system-upgrade, but seemed to finish ok) and that didn't > help. This machine has been upgraded through several iterations of > upgrades from about 4 years ago (Fedora 19 or 20?), so there might > well be some issues with the selinux contexts left over somewhere. I > assume this is the kind of indexing that's reported in the daily > logwatch mail, with something like "dovecot[2441]: > indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs > 11991..11992): 1 Time(s)", so that the files causing the problem are > in my home directory under ~/Maildir. These files have context > "system_u:object_r:mail_home_rw_t:s0". > > Thanks for any suggestions. > Hi George, It's bug, What is your version of dovecot? We made some changes in policy to be more tighten, but Bug is on dovecot side. Lukas. > George > > > > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
selinux issue with dovecot after upgrade from F27 to F28
I upgraded my office machine from F27 to F28 last night, using dnf system-upgrade. In most respects, the upgrade went fine. (There are some annoyances with sddm, but once I found out how to get rid of the user list in gdm, going back to gdm seems to be fine.) But I'm getting constant notices from selinux about AVC denials that seem to have to do with dovecot doing indexing. (I run dovecot on this machine as an imap server for my personal mail.) The setroubleshoot details window has: -- SELinux is preventing dovecot from using the dac_override capability. * Plugin dac_override (91.4 confidence) suggests ** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. * Plugin catchall (9.59 confidence) suggests ** If you believe that dovecot should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot # semodule -X 300 -i my-dovecot.pp Additional Information: Source Contextsystem_u:system_r:dovecot_t:s0 Target Contextsystem_u:system_r:dovecot_t:s0 Target ObjectsUnknown [ capability ] Sourcedovecot Source Path dovecot Port Host ext.math.umass.edu Source RPM Packages Target RPM Packages Policy RPMselinux-policy-3.14.1-24.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing ModeEnforcing Host Name ext.math.umass.edu Platform Linux ext.math.umass.edu 4.16.5-300.fc28.x86_64 #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64 Alert Count 122 First Seen2018-05-03 02:21:04 EDT Last Seen 2018-05-03 12:52:59 EDT Local ID 019bb172-93a2-4c4c-b0fc-21a2c16e138b Raw Audit Messages type=AVC msg=audit(1525366379.312:365): avc: denied { dac_override } for pid=9354 comm="indexer-worker" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override -- I ran ausearch as suggested but I don't see any mention of specific file. I haven't found anything about this issue in a web search or on Common Bugs. I guess I can create a policy module to get rid of these, but I wanted to check on whether there's something wrong with my setup before I do that. I did a full relabel (with /.autorelabel and a reboot; it complained about conflicts between rpms in /var/cache/system-upgrade and /var/lib/system-upgrade, but seemed to finish ok) and that didn't help. This machine has been upgraded through several iterations of upgrades from about 4 years ago (Fedora 19 or 20?), so there might well be some issues with the selinux contexts left over somewhere. I assume this is the kind of indexing that's reported in the daily logwatch mail, with something like "dovecot[2441]: indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs 11991..11992): 1 Time(s)", so that the files causing the problem are in my home directory under ~/Maildir. These files have context "system_u:object_r:mail_home_rw_t:s0". Thanks for any suggestions. George pgpe8wxsZ94cG.pgp Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org