View Issue Details

IDProjectCategoryView StatusLast Update
0017600CentOS-8selinux-policypublic2020-07-17 23:30
Reporterbrentb 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version8.2.2004 
Target VersionFixed in Version 
Summary0017600: Dovecot SELinux policy insufficient
DescriptionThe SELinux policy for dovecot seems insufficient for SELinux to be left enforcing out of the box when using dovecot with at least MySQL and a home directory provided via SQL in the user_query. It may be a broader issue, but I have not tested in a more default state. I am following the same setup I run on CentOS 7 where it works.

The symptom is that dovecot will complain in its logs that it cannot chdir,

Jul 17 18:44:02 msa01 dovecot[141453]: imap(test@example.com)<142355><IQy65KqqreBMCcF0>: Error: chdir(/mailmount//example.com/test/) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) stat() failed: No such file or directory)
Steps To ReproduceLeave SELinux enforcing
Setup dovecot to use the mysql driver and provide home via SQL query
Set mail_location = maildir:~/Maildir in 10-mail.conf
Additional InformationThe `dontaudit` settings hide anything from appearing in the audit.log. Disabling those and setting SELinux permissive shows the following,

#============= dovecot_auth_t ==============
# src="dovecot_auth_t" tgt="init_t" class="unix_stream_socket", perms="{ read write }"
# comm="auth" exe="" path=""
#!!!! This avc has a dontaudit rule in the current policy
allow dovecot_auth_t init_t:unix_stream_socket { read write };

#============= dovecot_t ==============
# src="dovecot_t" tgt="dovecot_auth_t" class="process", perms="{ noatsecure rlimitinh siginh }"
# comm="auth" exe="" path=""
#!!!! This avc has a dontaudit rule in the current policy
allow dovecot_t dovecot_auth_t:process { noatsecure rlimitinh siginh };
# src="dovecot_t" tgt="unlabeled_t" class="dir", perms="{ getattr search }"
# comm="imap" exe="" path=""
#!!!! This avc has a dontaudit rule in the current policy
allow dovecot_t unlabeled_t:dir { getattr search };

#============= init_t ==============
# src="init_t" tgt="chkpwd_t" class="process", perms="siginh"
# comm="unix_chkpwd" exe="" path=""
#!!!! This avc has a dontaudit rule in the current policy
allow init_t chkpwd_t:process siginh;
# src="init_t" tgt="unconfined_t" class="process", perms="siginh"
# comm="systemd" exe="" path=""
#!!!! This avc has a dontaudit rule in the current policy
allow init_t unconfined_t:process siginh;
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-07-17 23:22 brentb New Issue