[Bug 1219364] New: [SELinux] AVC denial dovecot
https://bugzilla.suse.com/show_bug.cgi?id=1219364 Bug ID: 1219364 Summary: [SELinux] AVC denial dovecot Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mcepl@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- I have dovecot running on localhost of my workstation, and when switching to SELinux on new Tumbleweed machine, I got this: mitmanek:~ # ausearch -m AVC -ts 22:30 |grep -v -i apparmor|grep dovecot type=AVC msg=audit(1706651785.442:142): avc: denied { search } for pid=20932 comm="auth" name="logins" dev="nvme0n1p3" ino=145649 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:selinux_login_config_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1706651785.446:143): avc: denied { read } for pid=20932 comm="auth" name="unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1 type=AVC msg=audit(1706651785.446:144): avc: denied { open } for pid=20932 comm="auth" path="/etc/selinux/targeted/contexts/users/unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1 type=AVC msg=audit(1706651785.446:145): avc: denied { getattr } for pid=20932 comm="auth" path="/etc/selinux/targeted/contexts/users/unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1 type=AVC msg=audit(1706651785.446:146): avc: denied { setexec } for pid=20932 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 type=AVC msg=audit(1706651785.446:148): avc: denied { setkeycreate } for pid=20932 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 mitmanek:~ # Moved `dovecot_t` to the permissive domains. I believe labels should be correct (relabelled whole system just not that long time ago). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219364 Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |cathy.hu@suse.com CC| |cathy.hu@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219364 https://bugzilla.suse.com/show_bug.cgi?id=1219364#c1 --- Comment #1 from Hu <cathy.hu@suse.com> --- Hi Matej, thanks for your report. Could you please switch the dovecot_t back to enforcing and send the AVCs that are generated by that? Also could you please describe what you did that generated these AVCs? Often AVCs generated in permissive mode are not reliable to work with and sometimes they can never happen in enforcing mode. In general, could you please provide the information that is described here, especially the policy version you are working with? https://en.opensuse.org/openSUSE:Bugreport_SELinux Thanks a lot! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219364 https://bugzilla.suse.com/show_bug.cgi?id=1219364#c2 Matej Cepl <mcepl@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #2 from Matej Cepl <mcepl@suse.com> --- I think my configuration is so non-standard, that I will close this bug now. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com