I setup postfix/dovecot on a new machine and now all works well with the
small exception of dovecot triggering selinux avc denials on some
temp... files here is a sample alert:
Summary
SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t)
"link" to temp.localhost.678.40caaf5592891c46 (user_home_dir_t).
Detailed Description
SELinux denied access requested by /usr/libexec/dovecot/deliver. It
is not
expected that this access is required by
/usr/libexec/dovecot/deliver and
this access may signal an intrusion attempt. It is also possible
that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for
temp.localhost.678.40caaf5592891c46, restorecon -v
temp.localhost.678.40caaf5592891c46 If this does not work, there is
currently no automatic way to allow this access. Instead, you can
generate
a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:dovecot_deliver_t
Target Context user_u:object_r:user_home_dir_t
Target Objects temp.localhost.678.40caaf5592891c46 [ file ]
Affected RPM Packages dovecot-1.0.7-16.fc7 [application]
Policy RPM selinux-policy-2.6.4-63.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name localhost
Platform Linux localhost 2.6.23.8-34.fc7 #1 SMP Thu Nov
22 23:05:33 EST 2007 i686 athlon
Alert Count 1
First Seen Tue 01 Jan 2008 09:29:35 PM EST
Last Seen Tue 01 Jan 2008 09:29:35 PM EST
Local ID 507dd6a2-da46-4541-8c10-a0771bc85042
Line Numbers
Raw Audit Messages
avc: denied { link } for comm="deliver" dev=dm-0 egid=5000 euid=5000
exe="/usr/libexec/dovecot/deliver" exit=0 fsgid=5000 fsuid=5000
gid=5000
items=0
name="temp.localhost.678.40caaf5592891c46" pid=678
scontext=user_u:system_r:dovecot_deliver_t:s0 sgid=5000
subj=user_u:system_r:dovecot_deliver_t:s0 suid=5000 tclass=file
tcontext=user_u:object_r:user_home_dir_t:s0 tty=(none) uid=5000
and 5000 is user vmail.
When I look for these files that it is complaining about they are never
in the filesystem. I get about 8 alerts with every email that is
delivered. Right now I have SELinux set to permissive so that the mail
gets delivered but I would like to find the cause of this problem so
that I can set it back to enforcing.
????
Gerry
On Tue, 2008-01-01 at 22:06 -0500, Gerry Reno wrote:> I setup postfix/dovecot on a new machine and now all works well with the > small exception of dovecot triggering selinux avc denials on some > temp... files here is a sample alert: > > Summary > SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t) > "link" to temp.localhost.678.40caaf5592891c46 (user_home_dir_t).Set dotlock_use_excl=yes to see what file it's really wanting to create. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080102/ab2c7bcb/attachment-0002.bin>
greno at verizon.net
2008-Jan-02 03:36 UTC
[Dovecot] deliver triggering SELinux AVC denials
>From: Timo Sirainen <tss at iki.fi> >Date: 2008/01/01 Tue PM 09:18:05 CST >To: Gerry Reno <greno at verizon.net> >Cc: dovecot at dovecot.org >Subject: Re: [Dovecot] deliver triggering SELinux AVC denials...>Set dotlock_use_excl=yes to see what file it's really wanting to create.Ok, did that. And looking at all the alerts it appears to be any file that deliver is trying to write under /home/vmail. My users are all virtual and they all exist like: /home/vmail/example.com/john typical permissions: -rw------- 1 vmail vmail 464 2008-01-01 20:06 dovecot.index.log but for some reason even though deliver is setup to run as vmail:vmail it is still having permission problems. dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient} ???? Gerry