Bug 1219364

Summary: [SELinux] AVC denial dovecot
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matej Cepl <mcepl>
Component: SecurityAssignee: Cathy Hu <cathy.hu>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: cathy.hu
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matej Cepl 2024-01-30 22:25:08 UTC 
I have dovecot running on localhost of my workstation, and when switching to SELinux on new Tumbleweed machine, I got this:

mitmanek:~ # ausearch -m AVC -ts 22:30 |grep -v -i apparmor|grep dovecot
type=AVC msg=audit(1706651785.442:142): avc:  denied  { search } for  pid=20932 comm="auth" name="logins" dev="nvme0n1p3" ino=145649 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:selinux_login_config_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1706651785.446:143): avc:  denied  { read } for  pid=20932 comm="auth" name="unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1706651785.446:144): avc:  denied  { open } for  pid=20932 comm="auth" path="/etc/selinux/targeted/contexts/users/unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1706651785.446:145): avc:  denied  { getattr } for  pid=20932 comm="auth" path="/etc/selinux/targeted/contexts/users/unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1706651785.446:146): avc:  denied  { setexec } for  pid=20932 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1706651785.446:148): avc:  denied  { setkeycreate } for  pid=20932 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
mitmanek:~ # 

Moved `dovecot_t` to the permissive domains. I believe labels should be correct (relabelled whole system just not that long time ago).
Comment 1 Cathy Hu 2024-01-31 09:25:57 UTC 
Hi Matej,

thanks for your report. Could you please switch the dovecot_t back to enforcing and send the AVCs that are generated by that? Also could you please describe what you did that generated these AVCs? Often AVCs generated in permissive mode are not reliable to work with and sometimes they can never happen in enforcing mode.

In general, could you please provide the information that is described here, especially the policy version you are working with?
https://en.opensuse.org/openSUSE:Bugreport_SELinux

Thanks a lot!
Comment 2 Matej Cepl 2024-02-21 11:24:06 UTC 
I think my configuration is so non-standard, that I will close this bug now.