I upgraded my office machine from F27 to F28 last night, using dnf
system-upgrade. In most respects, the upgrade went fine. (There are
some annoyances with sddm, but once I found out how to get rid of the
user list in gdm, going back to gdm seems to be fine.)
But I'm getting constant notices from selinux about AVC denials that
seem to have to do with dovecot doing indexing. (I run dovecot on
this machine as an imap server for my personal mail.) The
setroubleshoot details window has:
----------------------------------------------------------------------
SELinux is preventing dovecot from using the dac_override capability.
***** Plugin dac_override (91.4 confidence) suggests **********************
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that dovecot should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
# semodule -X 300 -i my-dovecot.pp
Additional Information:
Source Context system_u:system_r:dovecot_t:s0
Target Context system_u:system_r:dovecot_t:s0
Target Objects Unknown [ capability ]
Source dovecot
Source Path dovecot
Port <Unknown>
Host ext.math.umass.edu
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-24.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ext.math.umass.edu
Platform Linux ext.math.umass.edu 4.16.5-300.fc28.x86_64 #1
SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 122
First Seen 2018-05-03 02:21:04 EDT
Last Seen 2018-05-03 12:52:59 EDT
Local ID 019bb172-93a2-4c4c-b0fc-21a2c16e138b
Raw Audit Messages
type=AVC msg=audit(1525366379.312:365): avc: denied { dac_override } for pid=9354 comm="indexer-worker" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0
Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override
----------------------------------------------------------------------
I ran ausearch as suggested but I don't see any mention of specific file.
I haven't found anything about this issue in a web search or on Common
Bugs.
I guess I can create a policy module to get rid of these, but I wanted
to check on whether there's something wrong with my setup before I do
that. I did a full relabel (with /.autorelabel and a reboot; it
complained about conflicts between rpms in /var/cache/system-upgrade
and /var/lib/system-upgrade, but seemed to finish ok) and that didn't
help. This machine has been upgraded through several iterations of
upgrades from about 4 years ago (Fedora 19 or 20?), so there might
well be some issues with the selinux contexts left over somewhere. I
assume this is the kind of indexing that's reported in the daily
logwatch mail, with something like "dovecot[2441]:
indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs
11991..11992): 1 Time(s)", so that the files causing the problem are
in my home directory under ~/Maildir. These files have context "system_u:object_r:mail_home_rw_t:s0".
Thanks for any suggestions.
George
Attachment:
pgpMPl7qKjbgD.pgp
Description: OpenPGP digital signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
