[Dovecot] deliver triggering SELinux AVC denials

Gerry Reno greno at verizon.net
Wed Jan 2 05:06:57 EET 2008 

I setup postfix/dovecot on a new machine and now all works well with the 
small exception of dovecot triggering selinux avc denials on some 
temp... files here is a sample alert:

Summary
    SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t)
    "link" to temp.localhost.678.40caaf5592891c46 (user_home_dir_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/dovecot/deliver. It 
is not
    expected that this access is required by 
/usr/libexec/dovecot/deliver and
    this access may signal an intrusion attempt. It is also possible 
that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    temp.localhost.678.40caaf5592891c46, restorecon -v
    temp.localhost.678.40caaf5592891c46 If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can 
generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can 
disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a 
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information       

Source Context                user_u:system_r:dovecot_deliver_t
Target Context                user_u:object_r:user_home_dir_t
Target Objects                temp.localhost.678.40caaf5592891c46 [ file ]
Affected RPM Packages         dovecot-1.0.7-16.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-63.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     localhost
Platform                      Linux localhost 2.6.23.8-34.fc7 #1 SMP Thu Nov
                              22 23:05:33 EST 2007 i686 athlon
Alert Count                   1
First Seen                    Tue 01 Jan 2008 09:29:35 PM EST
Last Seen                     Tue 01 Jan 2008 09:29:35 PM EST
Local ID                      507dd6a2-da46-4541-8c10-a0771bc85042
Line Numbers                 

Raw Audit Messages           

avc: denied { link } for comm="deliver" dev=dm-0 egid=5000 euid=5000
exe="/usr/libexec/dovecot/deliver" exit=0 fsgid=5000 fsuid=5000 gid=5000 
items=0
name="temp.localhost.678.40caaf5592891c46" pid=678
scontext=user_u:system_r:dovecot_deliver_t:s0 sgid=5000
subj=user_u:system_r:dovecot_deliver_t:s0 suid=5000 tclass=file
tcontext=user_u:object_r:user_home_dir_t:s0 tty=(none) uid=5000

and 5000 is user vmail.

When I look for these files that it is complaining about they are never 
in the filesystem.  I get about 8 alerts with every email that is 
delivered.  Right now I have SELinux set to permissive so that the mail 
gets delivered but I would like to find the cause of this problem so 
that I can set it back to enforcing.

????

Gerry

More information about the dovecot mailing list