On 05/03/2018 08:07 PM, Lukas Vrabec wrote:
> On 05/03/2018 07:20 PM, George Avrunin wrote:
>> I upgraded my office machine from F27 to F28 last night, using dnf
>> system-upgrade. In most respects, the upgrade went fine. (There are
>> some annoyances with sddm, but once I found out how to get rid of the
>> user list in gdm, going back to gdm seems to be fine.)
>>
>> But I'm getting constant notices from selinux about AVC denials that
>> seem to have to do with dovecot doing indexing. (I run dovecot on
>> this machine as an imap server for my personal mail.) The
>> setroubleshoot details window has:
>> ----------------------------------------------------------------------
>> SELinux is preventing dovecot from using the dac_override capability.
>>
>> ***** Plugin dac_override (91.4 confidence) suggests **********************
>>
>> If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
>> Then turn on full auditing to get path information about the offending file and generate the error again.
>> Do
>>
>> Turn on full auditing
>> # auditctl -w /etc/shadow -p w
>> Try to recreate AVC. Then execute
>> # ausearch -m avc -ts recent
>> If you see PATH record check ownership/permissions on file, and fix it,
>> otherwise report as a bugzilla.
>>
>> ***** Plugin catchall (9.59 confidence) suggests **************************
>>
>> If you believe that dovecot should have the dac_override capability by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot
>> # semodule -X 300 -i my-dovecot.pp
>>
>> Additional Information:
>> Source Context system_u:system_r:dovecot_t:s0
>> Target Context system_u:system_r:dovecot_t:s0
>> Target Objects Unknown [ capability ]
>> Source dovecot
>> Source Path dovecot
>> Port <Unknown>
>> Host ext.math.umass.edu
>> Source RPM Packages
>> Target RPM Packages
>> Policy RPM selinux-policy-3.14.1-24.fc28.noarch
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Enforcing
>> Host Name ext.math.umass.edu
>> Platform Linux ext.math.umass.edu 4.16.5-300.fc28.x86_64 #1
>> SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
>> Alert Count 122
>> First Seen 2018-05-03 02:21:04 EDT
>> Last Seen 2018-05-03 12:52:59 EDT
>> Local ID 019bb172-93a2-4c4c-b0fc-21a2c16e138b
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1525366379.312:365): avc: denied { dac_override } for pid=9354 comm="indexer-worker" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0
>>
>>
>> Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override
>> ----------------------------------------------------------------------
>> I ran ausearch as suggested but I don't see any mention of specific file.
>> I haven't found anything about this issue in a web search or on Common
>> Bugs.
>>
>> I guess I can create a policy module to get rid of these, but I wanted
>> to check on whether there's something wrong with my setup before I do
>> that. I did a full relabel (with /.autorelabel and a reboot; it
>> complained about conflicts between rpms in /var/cache/system-upgrade
>> and /var/lib/system-upgrade, but seemed to finish ok) and that didn't
>> help. This machine has been upgraded through several iterations of
>> upgrades from about 4 years ago (Fedora 19 or 20?), so there might
>> well be some issues with the selinux contexts left over somewhere. I
>> assume this is the kind of indexing that's reported in the daily
>> logwatch mail, with something like "dovecot[2441]:
>> indexer-worker(avrunin): Indexed 2 messages in Department.RCF (UIDs
>> 11991..11992): 1 Time(s)", so that the files causing the problem are
>> in my home directory under ~/Maildir. These files have context "system_u:object_r:mail_home_rw_t:s0".
>>
>> Thanks for any suggestions.
>>
>
> Hi George,
>
> It's bug, What is your version of dovecot? We made some changes in
> policy to be more tighten, but Bug is on dovecot side.
>
Check following comment:
https://bugzilla.redhat.com/show_bug.cgi?id=1560704#c7
> Lukas.
>
>
>> George
>>
>>
>>
>>
>> _______________________________________________
>> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>
>
>
>
>
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
