Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   dovecot 2.0 (http://www.linux-archive.org/fedora-selinux-support/349139-dovecot-2-0-a.html)

Paul Howarth 03-30-2010 01:23 PM

dovecot 2.0
 
dovecot 2.0 renames some files from 1.x and needs some additional policy:

File contexts:

/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)

/usr/libexec/dovecot/auth --
gen_context(system_u:object_r:dovecot_auth_exec_t, s0)

/usr/libexec/dovecot/dovecot-lda --
gen_context(system_u:object_r:dovecot_deliver_exec _t,s0)

Rules:

type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
allow dovecot_t self:capability kill;
allow dovecot_t dovecot_auth_t:process signal;

With those additions, I've got dovecot 2.0 running in my simple
PAM-based environment, leaving just the following AVC:

type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
scontext=unconfined_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

I haven't figured out where that's coming from yet but it looks far too
suspicious to allow, and doesn't seem to break anything when it's not
allowed.

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 03-30-2010 01:40 PM

dovecot 2.0
 
On 03/30/2010 09:23 AM, Paul Howarth wrote:
> dovecot 2.0 renames some files from 1.x and needs some additional policy:
>
> File contexts:
>
> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>
> /usr/libexec/dovecot/auth --
> gen_context(system_u:object_r:dovecot_auth_exec_t, s0)
>
> /usr/libexec/dovecot/dovecot-lda --
> gen_context(system_u:object_r:dovecot_deliver_exec _t,s0)
>
> Rules:
>
> type dovecot_tmp_t;
> files_tmp_file(dovecot_tmp_t)
> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
> allow dovecot_t self:capability kill;
> allow dovecot_t dovecot_auth_t:process signal;
>
> With those additions, I've got dovecot 2.0 running in my simple
> PAM-based environment, leaving just the following AVC:
>
> type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
> pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
> scontext=unconfined_u:system_r:dovecot_t:s0
> tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
> success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
> ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
> subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
>
> I haven't figured out where that's coming from yet but it looks far too
> suspicious to allow, and doesn't seem to break anything when it's not
> allowed.
>
> Paul.
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
Thanks, see if dovecot_t is doing an access check on the file? We can
probably dontaudit it.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 03-30-2010 01:41 PM

dovecot 2.0
 
On 03/30/2010 09:23 AM, Paul Howarth wrote:
> dovecot 2.0 renames some files from 1.x and needs some additional policy:
>
> File contexts:
>
> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>
> /usr/libexec/dovecot/auth --
> gen_context(system_u:object_r:dovecot_auth_exec_t, s0)
>
> /usr/libexec/dovecot/dovecot-lda --
> gen_context(system_u:object_r:dovecot_deliver_exec _t,s0)
>
> Rules:
>
> type dovecot_tmp_t;
> files_tmp_file(dovecot_tmp_t)
> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
> allow dovecot_t self:capability kill;
> allow dovecot_t dovecot_auth_t:process signal;
>
> With those additions, I've got dovecot 2.0 running in my simple
> PAM-based environment, leaving just the following AVC:
>
> type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
> pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
> scontext=unconfined_u:system_r:dovecot_t:s0
> tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
> success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
> ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
> subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
>
> I haven't figured out where that's coming from yet but it looks far too
> suspicious to allow, and doesn't seem to break anything when it's not
> allowed.
>
> Paul.
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
Also is this coming to F12 or just F13?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Paul Howarth 03-30-2010 02:06 PM

dovecot 2.0
 
On 30/03/10 14:41, Daniel J Walsh wrote:
> On 03/30/2010 09:23 AM, Paul Howarth wrote:
>> dovecot 2.0 renames some files from 1.x and needs some additional policy:
>>
>> File contexts:
>>
>> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>>
>> /usr/libexec/dovecot/auth --
>> gen_context(system_u:object_r:dovecot_auth_exec_t, s0)
>>
>> /usr/libexec/dovecot/dovecot-lda --
>> gen_context(system_u:object_r:dovecot_deliver_exec _t,s0)
>>
>> Rules:
>>
>> type dovecot_tmp_t;
>> files_tmp_file(dovecot_tmp_t)
>> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
>> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
>> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
>> allow dovecot_t self:capability kill;
>> allow dovecot_t dovecot_auth_t:process signal;
>>
>> With those additions, I've got dovecot 2.0 running in my simple
>> PAM-based environment, leaving just the following AVC:
>>
>> type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
>> pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
>> scontext=unconfined_u:system_r:dovecot_t:s0
>> tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
>> type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
>> success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
>> ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
>> subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
>>
>> I haven't figured out where that's coming from yet but it looks far too
>> suspicious to allow, and doesn't seem to break anything when it's not
>> allowed.
>>
>> Paul.

>>
> Also is this coming to F12 or just F13?

Only Rawhide (F14) at the moment. I doubt that it will appear in F13 as
it's not there yet (I'm not the maintainer btw) and the configuration
has changed from /etc/dovecot.conf to /etc/dovecot/dovecot.conf +
/etc/dovecot/conf.d/*.conf and some of the directives have changed too.

Paul.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 03-30-2010 02:09 PM

dovecot 2.0
 
On 03/30/2010 10:06 AM, Paul Howarth wrote:
> On 30/03/10 14:41, Daniel J Walsh wrote:
>
>> On 03/30/2010 09:23 AM, Paul Howarth wrote:
>>
>>> dovecot 2.0 renames some files from 1.x and needs some additional policy:
>>>
>>> File contexts:
>>>
>>> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>>>
>>> /usr/libexec/dovecot/auth --
>>> gen_context(system_u:object_r:dovecot_auth_exec_t, s0)
>>>
>>> /usr/libexec/dovecot/dovecot-lda --
>>> gen_context(system_u:object_r:dovecot_deliver_exec _t,s0)
>>>
>>> Rules:
>>>
>>> type dovecot_tmp_t;
>>> files_tmp_file(dovecot_tmp_t)
>>> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
>>> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
>>> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
>>> allow dovecot_t self:capability kill;
>>> allow dovecot_t dovecot_auth_t:process signal;
>>>
>>> With those additions, I've got dovecot 2.0 running in my simple
>>> PAM-based environment, leaving just the following AVC:
>>>
>>> type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
>>> pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
>>> scontext=unconfined_u:system_r:dovecot_t:s0
>>> tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
>>> type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
>>> success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
>>> ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
>>> subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
>>>
>>> I haven't figured out where that's coming from yet but it looks far too
>>> suspicious to allow, and doesn't seem to break anything when it's not
>>> allowed.
>>>
>>> Paul.
>>>
>
>>>
>> Also is this coming to F12 or just F13?
>>
> Only Rawhide (F14) at the moment. I doubt that it will appear in F13 as
> it's not there yet (I'm not the maintainer btw) and the configuration
> has changed from /etc/dovecot.conf to /etc/dovecot/dovecot.conf +
> /etc/dovecot/conf.d/*.conf and some of the directives have changed too.
>
> Paul.
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
Ok thanks for the heads up. I will put the changes into F13 policy.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 03-30-2010 02:14 PM

dovecot 2.0
 
On 03/30/2010 10:06 AM, Paul Howarth wrote:
> On 30/03/10 14:41, Daniel J Walsh wrote:
>> On 03/30/2010 09:23 AM, Paul Howarth wrote:
>>> dovecot 2.0 renames some files from 1.x and needs some additional
>>> policy:
>>>
>>> File contexts:
>>>
>>> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>>>
>>> /usr/libexec/dovecot/auth --
>>> gen_context(system_u:object_r:dovecot_auth_exec_t, s0)
>>>
>>> /usr/libexec/dovecot/dovecot-lda --
>>> gen_context(system_u:object_r:dovecot_deliver_exec _t,s0)
>>>
>>> Rules:
>>>
>>> type dovecot_tmp_t;
>>> files_tmp_file(dovecot_tmp_t)
>>> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
>>> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
>>> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
>>> allow dovecot_t self:capability kill;
>>> allow dovecot_t dovecot_auth_t:process signal;
>>>
>>> With those additions, I've got dovecot 2.0 running in my simple
>>> PAM-based environment, leaving just the following AVC:
>>>
>>> type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
>>> pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
>>> scontext=unconfined_u:system_r:dovecot_t:s0
>>> tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
>>> type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
>>> success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
>>> ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
>>> subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
>>>
>>> I haven't figured out where that's coming from yet but it looks far too
>>> suspicious to allow, and doesn't seem to break anything when it's not
>>> allowed.
>>>
>>> Paul.
>
>>>
>> Also is this coming to F12 or just F13?
>
> Only Rawhide (F14) at the moment. I doubt that it will appear in F13
> as it's not there yet (I'm not the maintainer btw) and the
> configuration has changed from /etc/dovecot.conf to
> /etc/dovecot/dovecot.conf + /etc/dovecot/conf.d/*.conf and some of the
> directives have changed too.
>
> Paul.
>
THis might be a resend, since thunderbird crashed. But thanks for the
heads-up. Added to F13 policy.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Paul Howarth 04-02-2010 08:48 AM

dovecot 2.0
 
On Tue, 30 Mar 2010 14:23:19 +0100
Paul Howarth <paul@city-fan.org> wrote:

> dovecot 2.0 renames some files from 1.x and needs some additional
> policy:
>
> File contexts:
>
> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>
> /usr/libexec/dovecot/auth --
> gen_context(system_u:object_r:dovecot_auth_exec_t, s0)
>
> /usr/libexec/dovecot/dovecot-lda --
> gen_context(system_u:object_r:dovecot_deliver_exec _t,s0)
>
> Rules:
>
> type dovecot_tmp_t;
> files_tmp_file(dovecot_tmp_t)
> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
> allow dovecot_t self:capability kill;
> allow dovecot_t dovecot_auth_t:process signal;

Another rule needed when it regenerates SSL DH parameters:

allow dovecot_t self:process setsched;

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 11:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.