Re: selinux issue with dovecot after upgrade from F27 to F28
Oops, I forgot to answer the question about the dovecot version: it's dovecot-2.2.35-2.fc28.x86_64, which is the latest available from the repos for F28. George pgpKfgfx2l2Yn.pgp Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: selinux issue with dovecot after upgrade from F27 to F28
On Thu, 3 May 2018 20:12:06 +0200, Lukas Vrabec wrote: > > > > Hi George, > > > > It's bug, What is your version of dovecot? We made some changes in > > policy to be more tighten, but Bug is on dovecot side. > > > > Check following comment: > https://bugzilla.redhat.com/show_bug.cgi?id=1560704#c7 > > > > > Lukas. > > > > Ah, thanks. I've added myself to the CC list. The sealert popups are frequent enough to be annoying; I guess the best approach is to create the selinux local policy for now and get rid of it when the bug is fixed? George pgpIbkLAvHGdD.pgp Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: selinux issue with dovecot after upgrade from F27 to F28
On 05/03/2018 08:07 PM, Lukas Vrabec wrote:
> On 05/03/2018 07:20 PM, George Avrunin wrote:
>> I upgraded my office machine from F27 to F28 last night, using dnf
>> system-upgrade. In most respects, the upgrade went fine. (There are
>> some annoyances with sddm, but once I found out how to get rid of the
>> user list in gdm, going back to gdm seems to be fine.)
>>
>> But I'm getting constant notices from selinux about AVC denials that
>> seem to have to do with dovecot doing indexing. (I run dovecot on
>> this machine as an imap server for my personal mail.) The
>> setroubleshoot details window has:
>> --
>> SELinux is preventing dovecot from using the dac_override capability.
>>
>> * Plugin dac_override (91.4 confidence) suggests
>> **
>>
>> If you want to help identify if domain needs this access or you have a file
>> with the wrong permissions on your system
>> Then turn on full auditing to get path information about the offending file
>> and generate the error again.
>> Do
>>
>> Turn on full auditing
>> # auditctl -w /etc/shadow -p w
>> Try to recreate AVC. Then execute
>> # ausearch -m avc -ts recent
>> If you see PATH record check ownership/permissions on file, and fix it,
>> otherwise report as a bugzilla.
>>
>> * Plugin catchall (9.59 confidence) suggests
>> **
>>
>> If you believe that dovecot should have the dac_override capability by
>> default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
>> # semodule -X 300 -i my-dovecot.pp
>>
>> Additional Information:
>> Source Contextsystem_u:system_r:dovecot_t:s0
>> Target Contextsystem_u:system_r:dovecot_t:s0
>> Target ObjectsUnknown [ capability ]
>> Sourcedovecot
>> Source Path dovecot
>> Port
>> Host ext.math.umass.edu
>> Source RPM Packages
>> Target RPM Packages
>> Policy RPMselinux-policy-3.14.1-24.fc28.noarch
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing ModeEnforcing
>> Host Name ext.math.umass.edu
>> Platform Linux ext.math.umass.edu
>> 4.16.5-300.fc28.x86_64 #1
>> SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
>> Alert Count 122
>> First Seen2018-05-03 02:21:04 EDT
>> Last Seen 2018-05-03 12:52:59 EDT
>> Local ID 019bb172-93a2-4c4c-b0fc-21a2c16e138b
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1525366379.312:365): avc: denied { dac_override } for
>> pid=9354 comm="indexer-worker" capability=1
>> scontext=system_u:system_r:dovecot_t:s0
>> tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0
>>
>>
>> Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override
>> --
>> I ran ausearch as suggested but I don't see any mention of specific file.
>> I haven't found anything about this issue in a web search or on Common
>> Bugs.
>>
>> I guess I can create a policy module to get rid of these, but I wanted
>> to check on whether there's something wrong with my setup before I do
>> that. I did a full relabel (with /.autorelabel and a reboot; it
>> complained about conflicts between rpms in /var/cache/system-upgrade
>> and /var/lib/system-upgrade, but seemed to finish ok) and that didn't
>> help. This machine has been upgraded through several iterations of
>> upgrades from about 4 years ago (Fedora 19 or 20?), so there might
>> well be some issues with the selinux contexts left over somewhere. I
>> assume this is the kind of indexing that's reported in the daily
>> logwatch mail, with something like "dovecot[2441]:
>> indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs
>> 11991..11992): 1 Time(s)", so that the files causing the problem are
>> in my home directory under ~/Maildir. These files have context
>> "system_u:object_r:mail_home_rw_t:s0".
>>
>> Thanks for any suggestions.
>>
>
> Hi George,
>
> It's bug, What is your version of dovecot? We made some changes in
> policy to be more tighten, but Bug is on dovecot side.
>
Check following comment:
https://bugzilla.redhat.com/show_bug.cgi?id=1560704#c7
> Lukas.
>
>
>> George
>>
>>
>>
>>
>> ___
>> users mailing list -- users@lists.fedoraproject.org
>> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>>
>
>
>
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscri
Re: selinux issue with dovecot after upgrade from F27 to F28
On 05/03/2018 07:20 PM, George Avrunin wrote:
> I upgraded my office machine from F27 to F28 last night, using dnf
> system-upgrade. In most respects, the upgrade went fine. (There are
> some annoyances with sddm, but once I found out how to get rid of the
> user list in gdm, going back to gdm seems to be fine.)
>
> But I'm getting constant notices from selinux about AVC denials that
> seem to have to do with dovecot doing indexing. (I run dovecot on
> this machine as an imap server for my personal mail.) The
> setroubleshoot details window has:
> --
> SELinux is preventing dovecot from using the dac_override capability.
>
> * Plugin dac_override (91.4 confidence) suggests **
>
> If you want to help identify if domain needs this access or you have a file
> with the wrong permissions on your system
> Then turn on full auditing to get path information about the offending file
> and generate the error again.
> Do
>
> Turn on full auditing
> # auditctl -w /etc/shadow -p w
> Try to recreate AVC. Then execute
> # ausearch -m avc -ts recent
> If you see PATH record check ownership/permissions on file, and fix it,
> otherwise report as a bugzilla.
>
> * Plugin catchall (9.59 confidence) suggests **
>
> If you believe that dovecot should have the dac_override capability by
> default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
> # semodule -X 300 -i my-dovecot.pp
>
> Additional Information:
> Source Contextsystem_u:system_r:dovecot_t:s0
> Target Contextsystem_u:system_r:dovecot_t:s0
> Target ObjectsUnknown [ capability ]
> Sourcedovecot
> Source Path dovecot
> Port
> Host ext.math.umass.edu
> Source RPM Packages
> Target RPM Packages
> Policy RPMselinux-policy-3.14.1-24.fc28.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing ModeEnforcing
> Host Name ext.math.umass.edu
> Platform Linux ext.math.umass.edu 4.16.5-300.fc28.x86_64
> #1
> SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
> Alert Count 122
> First Seen2018-05-03 02:21:04 EDT
> Last Seen 2018-05-03 12:52:59 EDT
> Local ID 019bb172-93a2-4c4c-b0fc-21a2c16e138b
>
> Raw Audit Messages
> type=AVC msg=audit(1525366379.312:365): avc: denied { dac_override } for
> pid=9354 comm="indexer-worker" capability=1
> scontext=system_u:system_r:dovecot_t:s0
> tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0
>
>
> Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override
> --
> I ran ausearch as suggested but I don't see any mention of specific file.
> I haven't found anything about this issue in a web search or on Common
> Bugs.
>
> I guess I can create a policy module to get rid of these, but I wanted
> to check on whether there's something wrong with my setup before I do
> that. I did a full relabel (with /.autorelabel and a reboot; it
> complained about conflicts between rpms in /var/cache/system-upgrade
> and /var/lib/system-upgrade, but seemed to finish ok) and that didn't
> help. This machine has been upgraded through several iterations of
> upgrades from about 4 years ago (Fedora 19 or 20?), so there might
> well be some issues with the selinux contexts left over somewhere. I
> assume this is the kind of indexing that's reported in the daily
> logwatch mail, with something like "dovecot[2441]:
> indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs
> 11991..11992): 1 Time(s)", so that the files causing the problem are
> in my home directory under ~/Maildir. These files have context
> "system_u:object_r:mail_home_rw_t:s0".
>
> Thanks for any suggestions.
>
Hi George,
It's bug, What is your version of dovecot? We made some changes in
policy to be more tighten, but Bug is on dovecot side.
Lukas.
> George
>
>
>
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
signature.asc
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
selinux issue with dovecot after upgrade from F27 to F28
I upgraded my office machine from F27 to F28 last night, using dnf
system-upgrade. In most respects, the upgrade went fine. (There are
some annoyances with sddm, but once I found out how to get rid of the
user list in gdm, going back to gdm seems to be fine.)
But I'm getting constant notices from selinux about AVC denials that
seem to have to do with dovecot doing indexing. (I run dovecot on
this machine as an imap server for my personal mail.) The
setroubleshoot details window has:
--
SELinux is preventing dovecot from using the dac_override capability.
* Plugin dac_override (91.4 confidence) suggests **
If you want to help identify if domain needs this access or you have a file
with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and
generate the error again.
Do
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
* Plugin catchall (9.59 confidence) suggests **
If you believe that dovecot should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
# semodule -X 300 -i my-dovecot.pp
Additional Information:
Source Contextsystem_u:system_r:dovecot_t:s0
Target Contextsystem_u:system_r:dovecot_t:s0
Target ObjectsUnknown [ capability ]
Sourcedovecot
Source Path dovecot
Port
Host ext.math.umass.edu
Source RPM Packages
Target RPM Packages
Policy RPMselinux-policy-3.14.1-24.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Host Name ext.math.umass.edu
Platform Linux ext.math.umass.edu 4.16.5-300.fc28.x86_64 #1
SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 122
First Seen2018-05-03 02:21:04 EDT
Last Seen 2018-05-03 12:52:59 EDT
Local ID 019bb172-93a2-4c4c-b0fc-21a2c16e138b
Raw Audit Messages
type=AVC msg=audit(1525366379.312:365): avc: denied { dac_override } for
pid=9354 comm="indexer-worker" capability=1
scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0
tclass=capability permissive=0
Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override
--
I ran ausearch as suggested but I don't see any mention of specific file.
I haven't found anything about this issue in a web search or on Common
Bugs.
I guess I can create a policy module to get rid of these, but I wanted
to check on whether there's something wrong with my setup before I do
that. I did a full relabel (with /.autorelabel and a reboot; it
complained about conflicts between rpms in /var/cache/system-upgrade
and /var/lib/system-upgrade, but seemed to finish ok) and that didn't
help. This machine has been upgraded through several iterations of
upgrades from about 4 years ago (Fedora 19 or 20?), so there might
well be some issues with the selinux contexts left over somewhere. I
assume this is the kind of indexing that's reported in the daily
logwatch mail, with something like "dovecot[2441]:
indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs
11991..11992): 1 Time(s)", so that the files causing the problem are
in my home directory under ~/Maildir. These files have context
"system_u:object_r:mail_home_rw_t:s0".
Thanks for any suggestions.
George
pgpe8wxsZ94cG.pgp
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
