Bug 1219364 - [SELinux] AVC denial dovecot
Summary: [SELinux] AVC denial dovecot
Status: RESOLVED INVALID
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Cathy Hu
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-30 22:25 UTC by Matej Cepl
Modified: 2024-02-21 11:24 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matej Cepl 2024-01-30 22:25:08 UTC 
I have dovecot running on localhost of my workstation, and when switching to SELinux on new Tumbleweed machine, I got this:

mitmanek:~ # ausearch -m AVC -ts 22:30 |grep -v -i apparmor|grep dovecot
type=AVC msg=audit(1706651785.442:142): avc:  denied  { search } for  pid=20932 comm="auth" name="logins" dev="nvme0n1p3" ino=145649 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:selinux_login_config_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1706651785.446:143): avc:  denied  { read } for  pid=20932 comm="auth" name="unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1706651785.446:144): avc:  denied  { open } for  pid=20932 comm="auth" path="/etc/selinux/targeted/contexts/users/unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1706651785.446:145): avc:  denied  { getattr } for  pid=20932 comm="auth" path="/etc/selinux/targeted/contexts/users/unconfined_u" dev="nvme0n1p3" ino=145643 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1706651785.446:146): avc:  denied  { setexec } for  pid=20932 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1706651785.446:148): avc:  denied  { setkeycreate } for  pid=20932 comm="auth" scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
mitmanek:~ # 

Moved `dovecot_t` to the permissive domains. I believe labels should be correct (relabelled whole system just not that long time ago).
Comment 1 Cathy Hu 2024-01-31 09:25:57 UTC 
Hi Matej,

thanks for your report. Could you please switch the dovecot_t back to enforcing and send the AVCs that are generated by that? Also could you please describe what you did that generated these AVCs? Often AVCs generated in permissive mode are not reliable to work with and sometimes they can never happen in enforcing mode.

In general, could you please provide the information that is described here, especially the policy version you are working with?
https://en.opensuse.org/openSUSE:Bugreport_SELinux

Thanks a lot!
Comment 2 Matej Cepl 2024-02-21 11:24:06 UTC 
I think my configuration is so non-standard, that I will close this bug now.