Re: selinux issue with dovecot after upgrade from F27 to F28

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/03/2018 07:20 PM, George Avrunin wrote:
> I upgraded my office machine from F27 to F28 last night, using dnf
> system-upgrade.  In most respects, the upgrade went fine.  (There are
> some annoyances with sddm, but once I found out how to get rid of the
> user list in gdm, going back to gdm seems to be fine.)
> 
> But I'm getting constant notices from selinux about AVC denials that
> seem to have to do with dovecot doing indexing.  (I run dovecot on
> this machine as an imap server for my personal mail.)  The
> setroubleshoot details window has:
> ----------------------------------------------------------------------
> SELinux is preventing dovecot from using the dac_override capability.
> 
> *****  Plugin dac_override (91.4 confidence) suggests   **********************
> 
> If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
> Then turn on full auditing to get path information about the offending file and generate the error again.
> Do
> 
> Turn on full auditing
> # auditctl -w /etc/shadow -p w
> Try to recreate AVC. Then execute
> # ausearch -m avc -ts recent
> If you see PATH record check ownership/permissions on file, and fix it,
> otherwise report as a bugzilla.
> 
> *****  Plugin catchall (9.59 confidence) suggests   **************************
> 
> If you believe that dovecot should have the dac_override capability by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
> # semodule -X 300 -i my-dovecot.pp
> 
> Additional Information:
> Source Context                system_u:system_r:dovecot_t:s0
> Target Context                system_u:system_r:dovecot_t:s0
> Target Objects                Unknown [ capability ]
> Source                        dovecot
> Source Path                   dovecot
> Port                          <Unknown>
> Host                          ext.math.umass.edu
> Source RPM Packages           
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.14.1-24.fc28.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     ext.math.umass.edu
> Platform                      Linux ext.math.umass.edu 4.16.5-300.fc28.x86_64 #1
>                               SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
> Alert Count                   122
> First Seen                    2018-05-03 02:21:04 EDT
> Last Seen                     2018-05-03 12:52:59 EDT
> Local ID                      019bb172-93a2-4c4c-b0fc-21a2c16e138b
> 
> Raw Audit Messages
> type=AVC msg=audit(1525366379.312:365): avc:  denied  { dac_override } for  pid=9354 comm="indexer-worker" capability=1  scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0
> 
> 
> Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override
> ----------------------------------------------------------------------
> I ran ausearch as suggested but I don't see any mention of specific file.
> I haven't found anything about this issue in a web search or on Common
> Bugs.  
> 
> I guess I can create a policy module to get rid of these, but I wanted
> to check on whether there's something wrong with my setup before I do
> that.  I did a full relabel (with /.autorelabel and a reboot; it
> complained about conflicts between rpms in /var/cache/system-upgrade
> and /var/lib/system-upgrade, but seemed to finish ok) and that didn't
> help.  This machine has been upgraded through several iterations of
> upgrades from about 4 years ago (Fedora 19 or 20?), so there might
> well be some issues with the selinux contexts left over somewhere.  I
> assume this is the kind of indexing that's reported in the daily
> logwatch mail, with something like "dovecot[2441]:
> indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs
> 11991..11992): 1 Time(s)", so that the files causing the problem are
> in my home directory under ~/Maildir.  These files have context "system_u:object_r:mail_home_rw_t:s0".
> 
> Thanks for any suggestions.
>

Hi George,

It's bug, What is your version of dovecot? We made some changes in
policy to be more tighten, but Bug is on dovecot side.

Lukas.


>   George
>   
> 
> 
> 
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux