Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161998 - dovecot-auth not allowed to handle cert_t
Summary: dovecot-auth not allowed to handle cert_t
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-28 23:37 UTC by Bojan Smojver
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-15 11:57:15 UTC


Attachments (Terms of Use)

Description Bojan Smojver 2005-06-28 23:37:42 UTC
Description of problem:
dovecot-auth process isn't allowed to handle cert_t files.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-17

How reproducible:
Always.

Steps to Reproduce:
1. Run dovecot over SSL.
  
Actual results:
Lots of unneeded denials.

Expected results:
The log should be silent.

Additional info:
--------------------------------------------------
Jun 29 09:23:13 beauty kernel: audit(1120000993.282:955): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.324:956): avc:  denied  { search
 } for  pid=25324 comm="unix_chkpwd" name=pki dev=dm-0 ino=481589 scontext=root:
system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.325:957): avc:  denied  { read }
 for  pid=25324 comm="unix_chkpwd" name=urandom dev=tmpfs ino=747 scontext=root:
system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass=chr_
file
Jun 29 09:23:13 beauty kernel: audit(1120000993.326:958): avc:  denied  { read }
 for  pid=25324 comm="unix_chkpwd" name=random dev=tmpfs ino=741 scontext=root:s
ystem_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=chr_fi
le
Jun 29 09:23:13 beauty kernel: audit(1120000993.340:959): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.344:960): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.511:961): avc:  denied  { search
 } for  pid=25323 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.645:962): avc:  denied  { search
 } for  pid=22692 comm="dovecot-auth" name=pki dev=dm-0 ino=481589 scontext=root
:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jun 29 09:23:13 beauty kernel: audit(1120000993.677:963): avc:  denied  { read }
 for  pid=25326 comm="imap" name=cert.pem dev=dm-0 ino=481616 scontext=root:syst
em_r:dovecot_t tcontext=system_u:object_r:cert_t tclass=lnk_file
--------------------------------------------------

Comment 1 Hann-Huei Chiou 2005-06-29 06:33:16 UTC
It seems that dovecot-auth uses dovecot_cert_t so the certificate can't be 
shared among sendmail, apache, etc. :(

Comment 2 Daniel Walsh 2005-07-03 15:38:50 UTC
So should I just change dovecot_cert_t to be the same as cert_t.  IE We want
these things shared?

Dan

Comment 3 Bojan Smojver 2005-07-05 09:49:16 UTC
I just tried 1.24-3 and it still has the same issue.

To answer your question, I think the problem is with the file
/etc/pki/tls/cert.pem (and directories in which it lives), which is not part of
dovecot, but openssl. This file is a bundle of X.509 certificates of public
certificate authorities. So, I don't think dovecot_cert_t should be the same as
cert_t, but rather dovecot should be allowed to read cert_t files and
directories, as this is their purpose anyway. Other daemons may not be allowed
to view dovecot specific certificates, which is also OK. So, dovecot_cert_t
should stay.

Comment 4 Bojan Smojver 2005-07-07 20:16:50 UTC
From 1.25.1-7:
------------------------------------------------------------
Jul  8 06:15:09 beauty kernel: audit(1120767309.400:3156): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.441:3157): avc:  denied  { searc
h } for  pid=12412 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=sy
stem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.442:3158): avc:  denied  { read 
} for  pid=12412 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=1421 scontext=s
ystem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tcl
ass=chr_file
Jul  8 06:15:09 beauty kernel: audit(1120767309.443:3159): avc:  denied  { read 
} for  pid=12412 comm="unix_chkpwd" name="random" dev=tmpfs ino=712 scontext=sys
tem_u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass
=chr_file
Jul  8 06:15:09 beauty unix_chkpwd[12412]: check pass; user unknown
Jul  8 06:15:09 beauty dovecot(pam_unix)[12411]: authentication failure; logname
= uid=0 euid=0 tty= ruser= rhost=  user=bojan
Jul  8 06:15:09 beauty kernel: audit(1120767309.454:3160): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty kernel: audit(1120767309.457:3161): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty dovecot-auth[12411]: nss_ldap: reconnecting to LDAP serve
r...
Jul  8 06:15:09 beauty kernel: audit(1120767309.684:3162): avc:  denied  { searc
h } for  pid=12411 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=s
ystem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul  8 06:15:09 beauty dovecot-auth[12411]: nss_ldap: reconnected to LDAP server
 after 1 attempt(s)
Jul  8 06:15:09 beauty kernel: audit(1120767309.919:3163): avc:  denied  { searc
h } for  pid=2228 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=sy
stem_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
------------------------------------------------------------

Comment 5 Bojan Smojver 2005-07-11 23:43:08 UTC
Works just fine in selinux-policy-targeted-1.25.1-7. Many thanks!

Comment 6 Bojan Smojver 2005-07-13 10:34:16 UTC
I'm a liar:

--------------------------------------
Jul 13 20:32:00 beauty kernel: audit(1121250720.521:25): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.563:26): avc:  denied  { search 
} for  pid=3197 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589 scontext=syste
m_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.564:27): avc:  denied  { read } 
for  pid=3197 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=774 scontext=syste
m_u:system_r:system_chkpwd_t tcontext=system_u:object_r:urandom_device_t tclass=
chr_file
Jul 13 20:32:00 beauty kernel: audit(1121250720.565:28): avc:  denied  { read } 
for  pid=3197 comm="unix_chkpwd" name="random" dev=tmpfs ino=768 scontext=system
_u:system_r:system_chkpwd_t tcontext=system_u:object_r:random_device_t tclass=ch
r_file
Jul 13 20:32:00 beauty unix_chkpwd[3197]: check pass; user unknown
Jul 13 20:32:00 beauty dovecot(pam_unix)[3196]: authentication failure; logname=
 uid=0 euid=0 tty= ruser= rhost=  user=bojan
Jul 13 20:32:00 beauty kernel: audit(1121250720.579:29): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty kernel: audit(1121250720.583:30): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
Jul 13 20:32:00 beauty dovecot-auth[3196]: nss_ldap: reconnecting to LDAP server
...
Jul 13 20:32:00 beauty kernel: audit(1121250720.609:31): avc:  denied  { search 
} for  pid=3196 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589 scontext=syst
em_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t tclass=dir
--------------------------------------

That's for selinux-policy-targeted-1.25.1-7.

Comment 7 Daniel Walsh 2005-07-13 10:56:25 UTC
Try out selinux-policy-targeted-1.25.1-9

Comment 8 Bojan Smojver 2005-07-14 01:37:29 UTC
Still seems like a no go:

-------------------------------
Jul 14 11:34:42 beauty dbus: avc:  received policyload notice (seqno=3) 
Jul 14 11:34:42 beauty dbus: avc:  0 AV entries and 0/512 buckets used, longest
chain length 0 

Jul 14 11:35:17 beauty kernel: audit(1121304917.760:635): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.803:636): avc:  denied  { search
} for  pid=20678 comm="unix_chkpwd" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:system_chkpwd_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.804:637): avc:  denied  { read }
for  pid=20678 comm="unix_chkpwd" name="urandom" dev=tmpfs ino=774
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Jul 14 11:35:17 beauty kernel: audit(1121304917.805:638): avc:  denied  { read }
for  pid=20678 comm="unix_chkpwd" name="random" dev=tmpfs ino=768
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:random_device_t tclass=chr_file
Jul 14 11:35:17 beauty kernel: audit(1121304917.819:639): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.823:640): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.847:641): avc:  denied  { search
} for  pid=20677 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
Jul 14 11:35:17 beauty kernel: audit(1121304917.879:642): avc:  denied  { search
} for  pid=2241 comm="dovecot-auth" name="pki" dev=dm-0 ino=481589
scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:cert_t
tclass=dir
-------------------------------

Notice how it's "dovecot-auth" that's failing. I explicitly loaded the policy
with load_policy, to make sure I've got the right one. rpm -q
selinux-policy-targeted shows:

[root@beauty ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.25.1-9

Comment 9 Bojan Smojver 2005-07-15 11:57:15 UTC
Looks like the latest policy (1.25.2-4) took care of this one too. Closing for now.


Note You need to log in before you can comment on or make changes to this bug.