Hi,
I'm running dovecot (1.1.7) deliver and sieve (1.1.5) on a Fedora 9
platform, using selinux targetet mode.
Most of the mail deliveries goes well, but once deliver tried to copy
the mail to the /tmp directory, which it seems it not allowed by
selinux. I guess that deliver wants to sanitize the mail or something
and therefore copies it to /tmp.
Before I ask for selinux to allow this, I would like to know why? It
could also be an error, leading deliver into a seldom used piece of code?
I order to get the mail delivered I put selinux into permissive mode, using:
semanage permissive -a dovecot_deliver_t
And then the mail is delivered - below are excerpts from different logs
and I have *NOT* attached the message which could not get delivered - because of
its size.
Regards,
Kim
Output from "dovecot -n":
# 1.1.7: /etc/dovecot.conf
# OS: Linux 2.6.27.9-73.fc9.i686 i686 Fedora release 9 (Sulphur) ext3
protocols: imaps
listen: *
login_dir: /var/run/dovecot/login
login_executable: /usr/libexec/dovecot/imap-login
mail_location: maildir:/data/mail/%u
auth default:
passdb:
driver: pam
userdb:
driver: passwd
Here is the mail-log of the incident:
Jan 6 02:20:36 jukebox amavis[30505]: (30505-01) Passed CLEAN,
[209.85.219.21] <pgsql-hackers-owner+M130915 at postgresql.org> ->
<kim+pg at alleroedderne.adsl.dk>, Message-ID:
<6fa3b6e20901051715p2a6b03dbt30ce14e9e2bc796c at mail.gmail.com>, mail_id:
QsxKXByj4rFd, Hits: -2.599, size: 140563, queued_as: E3E2BBC57D, 10434 ms
Jan 6 02:20:36 jukebox postfix/lmtp[32118]: 98350BC57C:
to=<kim+pg at alleroedderne.adsl.dk>, relay=127.0.0.1[127.0.0.1]:10024,
delay=24, delays=13/0.06/0.44/10, dsn=2.0.0, status=sent (250 2.0.0Ok:
queued as E3E2BBC57D)
Jan 6 02:20:36 jukebox postfix/qmgr[2205]: 98350BC57C: removed
Jan 6 02:20:36 jukebox deliver(kim):
stat(/tmp/dovecot.deliver..1231204836.32131.f6db3d4db5020c54) failed:
Permission denied
Jan 6 02:20:36 jukebox deliver(kim): copy: i_stream_read() failed:
Permission denied
Jan 6 02:20:36 jukebox deliver(kim):
msgid=<6fa3b6e20901051715p2a6b03dbt30ce14e9e2bc796c at mail.gmail.com>:
save failed to lists.PostgreSQL.Hacker: Internal error occurred. Refer
to server log for more information. [2009-01-06 02:20:36]
Jan 6 02:20:36 jukebox deliver(kim): sieve runtime error: Fileinto:
Generic Error
Jan 6 02:20:36 jukebox deliver(kim):
sieve_execute_bytecode(/home/kim/.dovecot.sievec) failed
Jan 6 02:20:37 jukebox deliver(kim): copy: i_stream_read() failed: No
such file or directory
Jan 6 02:20:37 jukebox deliver(kim):
msgid=<6fa3b6e20901051715p2a6b03dbt30ce14e9e2bc796c at mail.gmail.com>:
save failed to INBOX: Internal error occurred. Refer to server log for
more information. [2009-01-06 02:20:36]
Jan 6 02:20:37 jukebox postfix/local[32130]: E3E2BBC57D:
to=<kim+pg at alleroedderne.adsl.dk>, relay=local, delay=1.3,
delays=0.1/0.18/0/1, dsn=4.3.0, status=deferred (temporary failure)
Here are the lines from selinux once in permissive mode:
Jan 6 16:44:28 jukebox setroubleshoot: SELinux is preventing the
deliver from using potentially mislabeled files (./tmp). For complete
SELinux messages. run sealert -l 4b6a49fd-c1f8-40f9-98fa-dfe971719c69
Jan 6 16:44:29 jukebox setroubleshoot: SELinux is preventing the
deliver from using potentially mislabeled files (./tmp). For complete
SELinux messages. run sealert -l 19445c54-9537-45ec-8f3e-7718364b1f1f
Jan 6 16:44:29 jukebox setroubleshoot: SELinux is preventing the
deliver from using potentially mislabeled files
(./dovecot.deliver..1231256667.7940.53f0f908f5a97712). For complete
SELinux messages. run sealert -l 0cb74c68-0bbb-4de6-a15f-0bb5fdffcf90
Jan 6 16:44:29 jukebox setroubleshoot: SELinux is preventing the
deliver from using potentially mislabeled files
(2F746D702F646F7665636F742E64656C697665722E2E313233313235363636372E373934302E35336630663930386635613937373132202864656C6574656429).
For complete SELinux messages. run sealert -l
afe6e0ae-8c2e-4882-925b-b15e26da2a15
And the AVCs for those:
node=jukebox.alleroedderne.adsl.dk type=AVC
msg=audit(1231439791.493:10819): avc: denied { search } for pid=9073
comm="deliver" name="tmp" dev=sda3 ino=786433
scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=jukebox.alleroedderne.adsl.dk type=SYSCALL
msg=audit(1231439791.493:10819): arch=40000003 syscall=195 success=no
exit=-2 a0=96e0aa0 a1=bfc21120 a2=4f5ff4 a3=bfc21120 items=0 ppid=9072
pid=9073 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500
egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver"
exe="/usr/libexec/dovecot/deliver"
subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)
node=jukebox.alleroedderne.adsl.dk type=AVC
msg=audit(1231439791.493:10820): avc: denied { write } for pid=9073
comm="deliver" name="tmp" dev=sda3 ino=786433
scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=jukebox.alleroedderne.adsl.dk type=AVC
msg=audit(1231439791.493:10820): avc: denied { add_name } for
pid=9073 comm="deliver"
name="dovecot.deliver..1231439791.9073.73e6f9811129f7ec"
scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=jukebox.alleroedderne.adsl.dk type=AVC
msg=audit(1231439791.493:10820): avc: denied { create } for pid=9073
comm="deliver"
name="dovecot.deliver..1231439791.9073.73e6f9811129f7ec"
scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
node=jukebox.alleroedderne.adsl.dk type=AVC
msg=audit(1231439791.493:10820): avc: denied { read write } for
pid=9073 comm="deliver"
name="dovecot.deliver..1231439791.9073.73e6f9811129f7ec" dev=sda3
ino=819452 scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
node=jukebox.alleroedderne.adsl.dk type=SYSCALL
msg=audit(1231439791.493:10820): arch=40000003 syscall=5 success=yes
exit=12 a0=96e0aa0 a1=80c2 a2=180 a3=80c2 items=0 ppid=9072 pid=9073
auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12
sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver"
exe="/usr/libexec/dovecot/deliver"
subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)
node=jukebox.alleroedderne.adsl.dk type=AVC
msg=audit(1231256667.462:5562): avc: denied { remove_name } for
pid=7940 comm="deliver"
name="dovecot.deliver..1231256667.7940.53f0f908f5a97712" dev=sda3
ino=852077 scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=jukebox.alleroedderne.adsl.dk type=AVC
msg=audit(1231256667.462:5562): avc: denied { unlink } for pid=7940
comm="deliver"
name="dovecot.deliver..1231256667.7940.53f0f908f5a97712"
dev=sda3 ino=852077 scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
node=jukebox.alleroedderne.adsl.dk type=SYSCALL
msg=audit(1231256667.462:5562): arch=40000003 syscall=10 success=yes
exit=0 a0=8bdfaa0 a1=80c2 a2=8bdfaa0 a3=c items=0 ppid=7939 pid=7940
auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12
sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver"
exe="/usr/libexec/dovecot/deliver"
subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)
node=jukebox.alleroedderne.adsl.dk type=AVC
msg=audit(1231256667.463:5563): avc: denied { getattr } for pid=7940
comm="deliver"
path=2F746D702F646F7665636F742E64656C697665722E2E313233313235363636372E373934302E35336630663930386635613937373132202864656C6574656429
dev=sda3 ino=852077 scontext=system_u:system_r:dovecot_deliver_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
node=jukebox.alleroedderne.adsl.dk type=SYSCALL
msg=audit(1231256667.463:5563): arch=40000003 syscall=197 success=yes
exit=0 a0=c a1=bfada72c a2=4f5ff4 a3=8c1c2f8 items=0 ppid=7939 pid=7940
auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12
sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver"
exe="/usr/libexec/dovecot/deliver"
subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)