Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 158086 - dovecot won't start from init script due to selinux errors
Summary: dovecot won't start from init script due to selinux errors
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-18 15:09 UTC by Thomas J. Baker
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-02 19:41:19 UTC


Attachments (Terms of Use)

Description Thomas J. Baker 2005-05-18 15:09:00 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

Description of problem:
FC4T3 install plus May17 updates. Dovecot won't start from the /etc/init.d/dovecot script. Audit log says

type=AVC msg=audit(1116428511.409:13273466): avc:  denied  { read } for  name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116428511.409:13273466): syscall=21 arch=c000003e success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=29730 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot exe=/usr/sbin/dovecot
type=PATH msg=audit(1116428511.409:13273466): item=0 name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00

Strangely, it starts fine from the command line if I just run dovecot as root.

Version-Release number of selected component (if applicable):
dovecot-0.99.14-4.fc4, selinux-policy-targeted-1.23.14-2

How reproducible:
Always

Steps to Reproduce:
1. install dovecot
2. try to start it
3.
  

Actual Results:  dovecot fails to start

Expected Results:  dovecot starts

Additional info:

You actually can't even see the errors until you install audit-0.8.1 due to bug #158011

Comment 1 Daniel Walsh 2005-05-18 18:01:22 UTC
chcon -t dovecot_cert_t /etc/pki/dovecot/dovecot.pem

Should fix it.  I will modify policy to fix this problem.

selinux-policy-*-1.23.16-4


Comment 2 Thomas J. Baker 2005-05-20 13:38:09 UTC
I did the chcon and have the new policy and it still fails:

[tjb@wintermute policy]# ls -lZ /etc/pki/dovecot/dovecot.pem
-rw-------  root     root     system_u:object_r:dovecot_cert_t
/etc/pki/dovecot/dovecot.pem
[tjb@wintermute policy]#


type=AVC msg=audit(1116596209.572:5451329): avc:  denied  { read } for 
name=dovecot.pem dev=dm-0 ino=200601 scontext=root:system_r:dovecot_t
tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116596209.572:5451329): syscall=21 arch=c000003e
success=no exit=-13 a0=521588 a1=4 a2=410e77 a3=6f items=1 pid=8022 loginuid=-1
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot
exe=/usr/sbin/dovecot
type=PATH msg=audit(1116596209.572:5451329): item=0
name="/etc/pki/dovecot/private/dovecot.pem" inode=200601 dev=fd:00 mode=0100600
ouid=0 ogid=0 rdev=00:00


Comment 3 Thomas J. Baker 2005-05-20 13:39:02 UTC
P.S. The thing I don't understand is that if I start it by hand, just "dovecot"
as root, it works fine.

Comment 4 Daniel Walsh 2005-05-20 13:57:31 UTC
chcon -R -t dovecot_cert_t /etc/pki/dovecot

When you run the service out of the service script it is protected via SELinux,
 when you run it by hand directly it runs under the default context. 
(Unconfined_t).

Comment 5 Daniel Walsh 2005-05-20 14:01:51 UTC
Actually 

restorecon -R -v /etc/pki should fix it also.

Dan

Comment 6 Thomas J. Baker 2005-05-20 14:25:14 UTC
Still no dice:

[tjb@wintermute tjb]# restorecon -R -v /etc/pki
restorecon reset /etc/pki/dovecot/dovecot.pem context
system_u:object_r:dovecot_cert_t->system_u:object_r:cert_t
[tjb@wintermute tjb]# /etc/init.d/dovecot stop
Stopping Dovecot Imap:                                     [  OK  ]
[tjb@wintermute tjb]# /etc/init.d/dovecot start
Starting Dovecot Imap:                                     [FAILED]
[tjb@wintermute tjb]#


type=AVC msg=audit(1116598755.720:12031051): avc:  denied  { read } for 
name=dovecot.pem dev=dm-0 ino=200602 scontext=root:system_r:dovecot_t
tcontext=system_u:object_r:cert_t tclass=file
type=SYSCALL msg=audit(1116598755.720:12031051): syscall=21 arch=c000003e
success=no exit=-13 a0=521568 a1=4 a2=410e77 a3=6f items=1 pid=10363 loginuid=-1
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=dovecot
exe=/usr/sbin/dovecot
type=PATH msg=audit(1116598755.720:12031051): item=0
name="/etc/pki/dovecot/dovecot.pem" inode=200602 dev=fd:00 mode=0100600 ouid=0
ogid=0 rdev=00:00

On running from the init script versus command line, how is the context applied
when running from the script?  The daemon command invokes a new context and
somehow dovecot policy is applied to it? (Excuse the lack of better terms...)

Comment 7 Daniel Walsh 2005-05-20 15:34:31 UTC
Ok we have a problem in policy then.

/etc/pki/dovecot 

do 

chcon -R -t dovecot_cert_t /etc/pki/dovecot

And it should work.  I will look at policy but the restorecon should have done
the equivalent.


The rules say that when running an init script say

unconfined_t -> initrc_exec_t -> initrc_t

initrc_t -> dovecot_exec_t -> dovecot_t

ls -lZ /etc/init.d/dovecot
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t  /etc/init.d/dovecot


When run directly

unconfined_t -> dovecot_exec_t -> unconfined_t


Comment 8 Andreas Simon 2005-05-26 22:38:23 UTC
I had the same problem here.

chcon -R -t dovecot_cert_t /etc/pki/dovecot

fixed the issue here. Dovecot now starts fine from the init.d script.
This is with selinux-policy-targeted-1.23.16-6.

(Dovecot still can't actually access my mails, but this seems to be unrelated to
this bug, because my mails are on a reiserfs partition, which is known to not
work with selinux. I expect this issue to go away when I change my /home to ext3
this weekend:

type=PATH msg=audit(1117146764.477:4455248): item=0 name="/home/andreas" inode=3
dev=fd:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00
type=SYSCALL msg=audit(1117146764.477:4455248): arch=40000003 syscall=12
success=no exit=-13 a0=9e21653 a1=0 a2=3e8 a3=9e20f9c items=1 pid=3236
auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0
comm="dovecot" exe="/usr/sbin/dovecot"
type=AVC msg=audit(1117146764.477:4455248): avc:  denied  { search } for 
pid=3236 comm="dovecot" name=andreas dev=dm-2 ino=3
scontext=root:system_r:dovecot_t tcontext=system_u:object_r:file_t tclass=dir
)

Thanks.

Comment 9 Adam Thompson 2005-06-26 14:35:07 UTC
FYI, running FC4-release (fully updated as of right now).

selinux-policy-targeted is somehow fubar'd with respect to the
/etc/pki/dovecot/* entries.

I have selinux-policy-targeted-source installed, and have manually verified that
the policy appears to be correct:

/etc/selinux/targeted/src/policy/file_contexts/file_contexts:/etc/pki/dovecot(/.*)?
system_u:object_r:dovecot_cert_t

...but running restorecon (or setfiles) does NOT correctly apply that context:
[root@server selinux]# cd /etc/pki/dovecot/
[root@server dovecot]# ls -lZ
-rw-r--r--  root     root     system_u:object_r:cert_t         dovecot-openssl.cnf
-rw-------  root     root     system_u:object_r:cert_t         dovecot.pem
drwxr-xr-x  root     root     system_u:object_r:cert_t         private/


Now, if I do "chcon -R -t dovecot_cert_t .",  everything seems just fine. 
Question is, why/how is targeted policy broken and not applying properly?



Comment 10 Daniel Walsh 2005-06-27 11:06:35 UTC
There is an ordering problem in the file_context file.  This is fixed in
selinux-policy-targeted-1.23.18-17.src.rpm

Comment 11 Thomas J. Baker 2005-07-01 12:10:11 UTC
Seems fixed to me. Others concur?


Note You need to log in before you can comment on or make changes to this bug.