View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017600 | CentOS-8 | selinux-policy | public | 2020-07-17 23:22 | 2020-07-17 23:30 |
Reporter | brentb | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Product Version | 8.2.2004 | ||||
Summary | 0017600: Dovecot SELinux policy insufficient | ||||
Description | The SELinux policy for dovecot seems insufficient for SELinux to be left enforcing out of the box when using dovecot with at least MySQL and a home directory provided via SQL in the user_query. It may be a broader issue, but I have not tested in a more default state. I am following the same setup I run on CentOS 7 where it works. The symptom is that dovecot will complain in its logs that it cannot chdir, Jul 17 18:44:02 msa01 dovecot[141453]: imap(test@example.com)<142355><IQy65KqqreBMCcF0>: Error: chdir(/mailmount//example.com/test/) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) stat() failed: No such file or directory) | ||||
Steps To Reproduce | Leave SELinux enforcing Setup dovecot to use the mysql driver and provide home via SQL query Set mail_location = maildir:~/Maildir in 10-mail.conf | ||||
Additional Information | The `dontaudit` settings hide anything from appearing in the audit.log. Disabling those and setting SELinux permissive shows the following, #============= dovecot_auth_t ============== # src="dovecot_auth_t" tgt="init_t" class="unix_stream_socket", perms="{ read write }" # comm="auth" exe="" path="" #!!!! This avc has a dontaudit rule in the current policy allow dovecot_auth_t init_t:unix_stream_socket { read write }; #============= dovecot_t ============== # src="dovecot_t" tgt="dovecot_auth_t" class="process", perms="{ noatsecure rlimitinh siginh }" # comm="auth" exe="" path="" #!!!! This avc has a dontaudit rule in the current policy allow dovecot_t dovecot_auth_t:process { noatsecure rlimitinh siginh }; # src="dovecot_t" tgt="unlabeled_t" class="dir", perms="{ getattr search }" # comm="imap" exe="" path="" #!!!! This avc has a dontaudit rule in the current policy allow dovecot_t unlabeled_t:dir { getattr search }; #============= init_t ============== # src="init_t" tgt="chkpwd_t" class="process", perms="siginh" # comm="unix_chkpwd" exe="" path="" #!!!! This avc has a dontaudit rule in the current policy allow init_t chkpwd_t:process siginh; # src="init_t" tgt="unconfined_t" class="process", perms="siginh" # comm="systemd" exe="" path="" #!!!! This avc has a dontaudit rule in the current policy allow init_t unconfined_t:process siginh; | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2020-07-17 23:22 | brentb | New Issue |