[SOLVED] postfix/spamassassin/dovecot

[Typhome]

I disabled & enabled selinux and then got some new "avc denied" logged in /var/log/audit/audit.log

type=AVC msg=audit(1562002491.518:17778274): avc: denied { connectto } for pid=24588 comm="dovecot-lda" path="/run/dovecot/auth-userdb" scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_$

type=AVC msg=audit(1562002070.086:17778132): avc: denied { read } for pid=23581 comm="dovecot-lda" name="mail" dev="md1" ino=52168858 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=lnk_file pe$
type=AVC msg=audit(1562002070.090:17778133): avc: denied { read } for pid=23581 comm="dovecot-lda" name="info" dev="md1" ino=89915711 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permiss$
type=AVC msg=audit(1562002070.093:17778134): avc: denied { open } for pid=23581 comm="dovecot-lda" path="/var/spool/mail/vhosts/example.com/info/dovecot.index.log" dev="md1" ino=89916700 scontext=system_u:system_r:spamc_t:s0 tcontext=$
type=AVC msg=audit(1562002070.093:17778135): avc: denied { getattr } for pid=23581 comm="dovecot-lda" path="/var/spool/mail/vhosts/example.com/info/dovecot.index.log" dev="md1" ino=89916700 scontext=system_u:system_r:spamc_t:s0 tconte$
type=AVC msg=audit(1562002070.093:17778136): avc: denied { write } for pid=23581 comm="dovecot-lda" name="dovecot.index" dev="md1" ino=89915715 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=f$
type=AVC msg=audit(1562002070.094:17778137): avc: denied { write } for pid=23581 comm="dovecot-lda" name="tmp" dev="md1" ino=89915714 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permiss$
type=AVC msg=audit(1562002070.094:17778137): avc: denied { add_name } for pid=23581 comm="dovecot-lda" name="1562002070.M85915P23581.ns326984" scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=di$
type=AVC msg=audit(1562002070.094:17778137): avc: denied { create } for pid=23581 comm="dovecot-lda" name="1562002070.M85915P23581.ns326984" scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file$
type=AVC msg=audit(1562002070.166:17778138): avc: denied { lock } for pid=23581 comm="dovecot-lda" path="/var/spool/mail/vhosts/example.com/info/dovecot.index.log" dev="md1" ino=89916700 scontext=system_u:system_r:spamc_t:s0 tcontext=$
type=AVC msg=audit(1562002070.166:17778139): avc: denied { remove_name } for pid=23581 comm="dovecot-lda" name="1562002070.M85915P23581.ns326984" dev="md1" ino=89916587 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r$
type=AVC msg=audit(1562002070.166:17778139): avc: denied { rename } for pid=23581 comm="dovecot-lda" name="1562002070.M85915P23581.ns326984" dev="md1" ino=89916587 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mail$
type=AVC msg=audit(1562002070.300:17778140): avc: denied { unlink } for pid=23581 comm="dovecot-lda" name="dovecot-uidlist.lock" dev="md1" ino=89916588 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mail_spool_t:s0

Code: Select all

[root@ns326984 ~]# cat /root/spamc_dovecot.log | audit2allow -a


#============= spamc_t ==============

#!!!! This avc is allowed in the current policy
allow spamc_t dovecot_deliver_exec_t:file { execute execute_no_trans open read };

#!!!! This avc is allowed in the current policy
allow spamc_t dovecot_etc_t:dir read;

#!!!! This avc is allowed in the current policy
allow spamc_t dovecot_etc_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow spamc_t dovecot_t:unix_stream_socket connectto;

#!!!! This avc is allowed in the current policy
allow spamc_t mail_spool_t:dir { add_name read remove_name write };

#!!!! This avc is allowed in the current policy
allow spamc_t mail_spool_t:file { append create getattr lock open read rename unlink write };

#!!!! This avc is allowed in the current policy
allow spamc_t mail_spool_t:lnk_file read;

#============= spamd_t ==============

#!!!! This avc is allowed in the current policy
allow spamd_t mail_spool_t:dir { getattr search };

#!!!! This avc is allowed in the current policy
allow spamd_t mail_spool_t:file { getattr ioctl open read };

#!!!! This avc is allowed in the current policy
allow spamd_t mail_spool_t:lnk_file read;
[root@ns326984 ~]#

After that I am still receiving same error... and I still don't see any new "avc denied" in /var/log/audit/audit.log... even with disabling & enabling selinux.

Jul 1 19:53:01 ns326984 postfix/pipe[27202]: 65A9B4201526: to=<info@example.com>, orig_to=<info2@example.com>, relay=spamassassin, delay=11052, delays=11030/0.11/0/22, dsn=4.3.0, status=deferred (temporary failure. Command output: lda(info@example.com,)Error: Error reading configuration: stat(/etc/dovecot/dovecot.conf) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/dovecot.conf stat(/etc/dovecot/dovecot.conf) failed: Permission denied, dir owned by 0:0 mode=0755) lda: Fatal: Internal error occurred. Refer to server log for more information. )

No wonder why people recommend to disable selinux...

[TrevorH]

You didn't clear out your audit logs so it's picked up all the old avcs which is why it's generated a policy that contains things it says are already allowed.

Try this:

service auditd rotate
(now move/rename/delete the old logs in /var/log/audit)
setenforce 0
recreate the problem
Check for new AVCs in audit log

If nothing shows up, run semodule -DB to disable the dontaudit rules that suppress common but allowable errors and repeat the above.

[Typhome]

Code: Select all

[root@ns326984 ~]# semodule -DB
[root@ns326984 ~]# service auditd rotate
Rotating logs:                                             [  OK  ]
[root@ns326984 ~]# setenforce 0

//... I sent email from gmail to my mailserver and I received it ...//

[root@ns326984 ~]# cat /var/log/audit/audit.log > /root/selinux_mailserver1.log
[root@ns326984 ~]# cat /root/selinux_mailserver1.log | audit2allow -a -M selinux_mailserver1
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i selinux_mailserver1.pp

[root@ns326984 ~]# semodule -i selinux_mailserver1.pp
[root@ns326984 ~]# setenforce 1
[root@ns326984 ~]# semodule -B

And now I'm getting same but different error:

Jul 2 18:37:54 ns326984 postfix/pipe[17350]: 6AB984201512: to=<info@example.com>, relay=spamassassin, delay=568, delays=557/0.04/0/11, dsn=4.3.0, status=deferred (temporary failure. Command output: lda(info@example.com,)Error: Error reading configuration: stat(/etc/dovecot/dovecot.conf) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +x perm: /etc/dovecot, UNIX perms appear ok (ACL/MAC wrong?)) lda: Fatal: Internal error occurred. Refer to server log for more information. )

After that I repeated more, not getting any new AVC's.

[TrevorH]

Can you show the text version of the policy selinux_mailserver1.te

ls -laRZ /etc/dovecot

[Typhome]

Can you show the text version of the policy selinux_mailserver1.te

Code: Select all

module selinux_mailserver1 1.0;

require {
        type postfix_smtpd_t;
        type postfix_master_t;
        class process { noatsecure rlimitinh siginh };
}

#============= postfix_master_t ==============
allow postfix_master_t postfix_smtpd_t:process { noatsecure rlimitinh siginh };

ls -laRZ /etc/dovecot

Code: Select all

[root@ns326984 ~]# ls -laRZ /etc/dovecot
/etc/dovecot:
drwxr-x--x. vmail dovecot system_u:object_r:dovecot_etc_t:s0 .
drwxr-xr-x. root  root    system_u:object_r:etc_t:s0       ..
drwxr-x---. vmail dovecot system_u:object_r:dovecot_etc_t:s0 conf.d
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 dovecot.conf
-rw-r-----. vmail dovecot unconfined_u:object_r:dovecot_etc_t:s0 dovecot.conf.orig
-rw-r-----. vmail dovecot unconfined_u:object_r:dovecot_etc_t:s0 dovecot-sql.conf.ext
drwxr-xr-x. vmail vmail   unconfined_u:object_r:dovecot_etc_t:s0 sieve

/etc/dovecot/conf.d:
drwxr-x---. vmail dovecot system_u:object_r:dovecot_etc_t:s0 .
drwxr-x--x. vmail dovecot system_u:object_r:dovecot_etc_t:s0 ..
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 10-auth.conf
-rw-r-----. vmail dovecot unconfined_u:object_r:dovecot_etc_t:s0 10-auth.conf.orig
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 10-director.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 10-logging.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 10-mail.conf
-rw-r-----. vmail dovecot unconfined_u:object_r:dovecot_etc_t:s0 10-mail.conf.orig
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 10-master.conf
-rw-r-----. vmail dovecot unconfined_u:object_r:dovecot_etc_t:s0 10-master.conf.orig
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 10-ssl.conf
-rw-r-----. vmail dovecot unconfined_u:object_r:dovecot_etc_t:s0 10-ssl.conf.orig
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 15-lda.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 15-mailboxes.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 20-imap.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 20-lmtp.conf
-rw-r--r--. root  root    system_u:object_r:dovecot_etc_t:s0 20-managesieve.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 20-pop3.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 90-acl.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 90-plugin.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 90-quota.conf
-rw-r--r--. root  root    system_u:object_r:dovecot_etc_t:s0 90-sieve.conf
-rw-r--r--. root  root    system_u:object_r:dovecot_etc_t:s0 90-sieve-extprograms.conf
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-checkpassword.conf.ext
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-deny.conf.ext
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-dict.conf.ext
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-ldap.conf.ext
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-master.conf.ext
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-passwdfile.conf.ext
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-sql.conf.ext
-rw-r-----. vmail dovecot unconfined_u:object_r:dovecot_etc_t:s0 auth-sql.conf.ext.orig
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-static.conf.ext
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-system.conf.ext
-rw-r-----. vmail dovecot system_u:object_r:dovecot_etc_t:s0 auth-vpopmail.conf.ext

/etc/dovecot/sieve:
drwxr-xr-x. vmail vmail   unconfined_u:object_r:dovecot_etc_t:s0 .
drwxr-x--x. vmail dovecot system_u:object_r:dovecot_etc_t:s0 ..
-rw-r--r--. vmail vmail   unconfined_u:object_r:dovecot_etc_t:s0 default.sieve
-rw-------. vmail vmail   system_u:object_r:dovecot_etc_t:s0 default.sieve.log
-rw-r--r--. vmail vmail   system_u:object_r:dovecot_etc_t:s0 default.svbin

Config files with ".orig" are backup original config files.

dovecot -n output postconf -n output

[TrevorH]

This'll be around about the time where I say "I have no idea" and point you to the Fedora SELinux mailing list where the real experts hang out. Or the Freenode IRC #slinux channel if you prefer that medium.

[Typhome]

Thanks for your help & redirecting me to #selinux in Freenode IRC.
Thanks to grift from #selinux in Freenode IRC who provided this fix:

Code: Select all

cat > myspamc.te <<EOF
policy_module(myspamc,1.0.0)
gen_require(\` type spamc_t; ')
dovecot_domtrans_deliver(spamc_t)
EOF
make -f /usr/share/selinux/devel/Makefile myspamc.pp
sudo semodule -i myspamc.pp

and everything works.