Selinux automatic rule change May 23, 2012 on Dovecot?

Support for security such as Firewalls and securing linux
Post Reply
t1shopper
Posts: 21
Joined: 2009/12/03 23:15:27
Contact:

Selinux automatic rule change May 23, 2012 on Dovecot?

Post by t1shopper » 2012/05/24 14:50:40

Dovecot has been working fine for months then at 9PM last night something changed (Selinux rule?) and Dovecot stopped working. Tried to start Dovecot this morning and got this:
[font=Courier]
[root@www ~]# service dovecot start
Starting Dovecot Imap: Error: Can't write to log directory /var/log: Permission denied
Fatal: Invalid configuration in /etc/dovecot.conf
[FAILED][/font]

But disabling Selinux causes it to work:
[font=Courier]
[root@www ~]# setenforce 0
[root@www ~]# service dovecot start
Starting Dovecot Imap: [ OK ]
[/font]

We are using SSL in our Dovecot config. Here's our /etc/dovecot.conf
[font=Courier]
protocols = pop3s
disable_plaintext_auth=yes
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot.log
ssl_disable = no
ssl_cert_file = /etc/pki/tls/certs/www.t1shopper.com.ev.crt
ssl_key_file = /etc/pki/tls/private/www.t1shopper.com.ev.key
ssl_verify_client_cert = no
ssl_parameters_regenerate = 168
ssl_cipher_list = ALL:!LOW:!SSLv2
verbose_ssl = yes
login_process_size = 64
protocol imap {}
protocol pop3 {}
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_
auth default {mechanisms = plain}
passdb pam { }
userdb passwd { }
dict {}
plugin {}
user = root[/font]

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux automatic rule change May 23, 2012 on Dovecot?

Post by TrevorH » 2012/05/24 15:09:48

Check /var/log/yum.log and see if anything was installed around the time it failed. Also, if your system forced a full relabel of the file system on boot, it might revert any selinux context changes that you made to files on the system manually using the chcon command. If you need to use chcon to change a file's context then you're better off using `semanage fcontext ...` instead as this puts rules in place that are used by restorecon.

t1shopper
Posts: 21
Joined: 2009/12/03 23:15:27
Contact:

Re: Selinux automatic rule change May 23, 2012 on Dovecot?

Post by t1shopper » 2012/05/24 16:39:15

[quote]Check /var/log/yum.log and see if anything was installed around the time it failed.[/quote]
Last time we ran YUM was 3 weeks ago Apr 30 12:54:21.

[quote]Also, if your system forced a full relabel of the file system on boot...[/quote]
Embarrassingly, I just saw the system crashed and rebooted itself last night so whatever these new SELINUX rules are they came into play then.
[font=Courier]
reboot system boot 2.6.18-308.4.1.e Wed May 23 21:11 (11:54)
root pts/1 ip-address Wed May 23 13:26 - crash (07:45)
[/font]

[quote]...it might revert any selinux context changes that you made to files on the system manually using the chcon command.[/quote]
We haven't used [font=Courier]chcon[/font] ever except on User's /home/ directories.

[quote]If you need to use chcon to change a file's context then you're better off using `semanage fcontext ...` instead as this puts rules in place that are used by restorecon.[/quote]
As a stop gap I tried restorecon and it didn't help:[font=Courier]
[root@www ~]# restorecon -v '/var/log/dovecot.log'
[root@www ~]# service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: Error: Can't write to log directory /var/log: Permission denied
Fatal: Invalid configuration in /etc/dovecot.conf
[FAILED][/font]
Where do I go from here?

Here's what sealert reporting says.
[font=Courier]
#$ sealert -a /var/log/audit/audit.log
Summary:

SELinux is preventing dovecot (dovecot_t) "add_name" to ./dovecot.log
(var_log_t).

Detailed Description:

SELinux denied access requested by dovecot. It is not expected that this access
is required by dovecot and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./dovecot.log,

restorecon -v './dovecot.log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context root:system_r:dovecot_t
Target Context system_u:object_r:var_log_t
Target Objects ./dovecot.log [ dir ]
Source dovecot
Source Path /usr/sbin/dovecot
Port
Host
Source RPM Packages dovecot-1.0.7-7.el5_7.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-327.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name www.t1shopper.com
Platform Linux www.t1shopper.com 2.6.18-308.4.1.el5 #1 SMP
Tue Apr 17 17:08:00 EDT 2012 x86_64 x86_64
Alert Count 1
First Seen Thu May 24 07:19:05 2012
Last Seen Thu May 24 07:19:05 2012
Local ID ****
Line Numbers 11795, 11796, 11797

Raw Audit Messages

type=AVC msg=audit(1337869145.10:4121): avc: denied { add_name } for pid=3419 comm="dovecot" name="dovecot.log" scontext=root:system_r:dovecot_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir

type=AVC msg=audit(1337869145.10:4121): avc: denied { create } for pid=3419 comm="dovecot" name="dovecot.log" scontext=root:system_r:dovecot_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file

type=SYSCALL msg=audit(1337869145.10:4121): arch=c000003e syscall=2 success=yes exit=6 a0=bdbeaa8 a1=441 a2=1b6 a3=441 items=0 ppid=3416 pid=3419 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=108 comm="dovecot" exe="/usr/sbin/dovecot" subj=root:system_r:dovecot_t:s0 key=(null)

--------------------------------------------------------------------------------


Summary:

SELinux is preventing dovecot (dovecot_t) "write" to ./dovecot.log (var_log_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing dovecot (dovecot_t) "write" to ./dovecot.log (var_log_t).
The SELinux type var_log_t, is a generic type for all files in the directory and
very few processes (SELinux Domains) are allowed to write to this SELinux type.
This type of denial usual indicates a mislabeled file. By default a file created
in a directory has the gets the context of the parent directory, but SELinux
policy has rules about the creation of directories, that say if a process
running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file (./dovecot.log) was
created with the wrong context, this domain will be denied. The usual solution
to this problem is to reset the file context on the target file, restorecon -v
'./dovecot.log'. If the file context does not change from var_log_t, then this
is probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v './dovecot.log'

The following command will allow this access:

restorecon './dovecot.log'

Additional Information:

Source Context root:system_r:dovecot_t
Target Context root:object_r:var_log_t
Target Objects ./dovecot.log [ file ]
Source dovecot
Source Path /usr/sbin/dovecot
Port
Host
Source RPM Packages dovecot-1.0.7-7.el5_7.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-327.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name mislabeled_file
Host Name www.t1shopper.com
Platform Linux www.t1shopper.com 2.6.18-308.4.1.el5 #1 SMP
Tue Apr 17 17:08:00 EDT 2012 x86_64 x86_64
Alert Count 9
First Seen Thu May 24 07:04:42 2012
Last Seen Thu May 24 09:25:55 2012
Local ID ***
Line Numbers 11766, 11767, 11774, 11775, 11780, 11781, 11803,
11804, 11810, 11811, 11879, 11880, 11890, 11891,
12991, 12992, 13000, 13001

Raw Audit Messages

type=AVC msg=audit(1337876755.831:5310): avc: denied { write } for pid=7035 comm="dovecot" name="dovecot.log" dev=dm-0 ino=16974672 scontext=root:system_r:dovecot_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file

type=SYSCALL msg=audit(1337876755.831:5310): arch=c000003e syscall=21 success=yes exit=0 a0=18194aa8 a1=2 a2=20 a3=0 items=0 ppid=7034 pid=7035 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=108 comm="dovecot" exe="/usr/sbin/dovecot" subj=root:system_r:dovecot_t:s0 key=(null)


[/font]

t1shopper
Posts: 21
Joined: 2009/12/03 23:15:27
Contact:

Re: Selinux automatic rule change May 23, 2012 on Dovecot?

Post by t1shopper » 2012/05/24 16:49:52

Found this bug report: [url=https://bugzilla.redhat.com/show_bug.cgi?id=546352]SELinux is preventing /usr/sbin/dovecot "write" access on /var/log/dovecot/dovecot.log[/url]

Suggests temporary workaround of:

[quote]chcon -R -t dovecot_var_log_t /var/log/dovecot

Will fix it, This labeling will be made default. Fixed in selinux-policy-3.6.32-58.fc12.noarch[/quote]

But I throw error:

[font=Courier][root@www log]# chcon -R -t dovecot_var_log_t /var/log/dovecot.log
chcon: failed to change context of /var/log/dovecot.log to root:object_r:dovecot_var_log_t: Invalid argument[/font]

t1shopper
Posts: 21
Joined: 2009/12/03 23:15:27
Contact:

Re: Selinux automatic rule change May 23, 2012 on Dovecot?

Post by t1shopper » 2012/05/24 17:09:15

Since I found I [url=https://bugzilla.redhat.com/show_bug.cgi?id=629731]another bug report[/url] saying it should have been fixed this will probably continue to be an issue so I spent all morning figuring out how to fix it and here's what I did - but let me know if you all think this is a bad idea or there's a better way:

[font=Courier][root@www ~]# grep dovecot_t /var/log/audit/audit.log | audit2allow -m dovecot > dovecot.te
[root@www ~]# cat dovecot.te

module dovecot 1.0;

require {
type var_log_t;
type dovecot_t;
class file { write create };
class dir { write add_name };
}

#============= dovecot_t ==============
allow dovecot_t var_log_t:dir { write add_name };
allow dovecot_t var_log_t:file { write create };
[root@www ~]# grep dovecot_t /var/log/audit/audit.log | audit2allow -M dovecot
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i dovecot.pp

[root@www ~]# semodule -i dovecot.pp
[root@www ~]# setenforce 1
[root@www ~]# service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[/font]

BTW we're on:

[font=Courier][root@www ~]# uname -a
Linux www.t1shopper.com 2.6.18-308.4.1.el5 #1 SMP Tue Apr 17 17:08:00 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux[/font]

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Selinux automatic rule change May 23, 2012 on Dovecot?

Post by pschaff » 2012/05/24 20:50:02

[quote]
t1shopper wrote:
Since I found I [url=https://bugzilla.redhat.com/show_bug.cgi?id=629731]another bug report[/url] saying it should have been fixed ...[/quote]
Looks reasonable to me, but as that's a Fedora 13 bug, if it is still a problem then it seems it is either a regression or the fix never made it to EL6. In either case sounds like a new EL6 bug report may be in order; however...

[quote]
BTW we're on:

[font=Courier][root@www ~]# uname -a
Linux www.t1shopper.com 2.6.18-308.4.1.el5 #1 SMP Tue Apr 17 17:08:00 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux[/font][/quote]
Time for a "yum update" - which should precede any bug report. Not sure how to prove at this point your problem was not a bug that has been fixed since you last updated.
[code]# uname -rmi
2.6.32-220.17.1.el6.x86_64 x86_64 x86_64
[/code]

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux automatic rule change May 23, 2012 on Dovecot?

Post by TrevorH » 2012/05/24 23:34:44

However, 2.6.18-308-4.1.el5 seems pretty up to date for a CentOS [u]5[/u] system :-)

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Selinux automatic rule change May 23, 2012 on Dovecot?

Post by pschaff » 2012/05/24 23:42:51

Time to go eat dinner and hide under a rock. :-)

Post Reply