[Dovecot] Deliver *sometimes* delivers via /tmp?

Hi,

I'm running dovecot (1.1.7) deliver and sieve (1.1.5) on a Fedora 9 platform, using selinux targetet mode.

Most of the mail deliveries goes well, but once deliver tried to copy the mail to the /tmp directory, which it seems it not allowed by selinux. I guess that deliver wants to sanitize the mail or something and therefore copies it to /tmp.

Before I ask for selinux to allow this, I would like to know why? It could also be an error, leading deliver into a seldom used piece of code?

I order to get the mail delivered I put selinux into permissive mode, using: semanage permissive -a dovecot_deliver_t

And then the mail is delivered - below are excerpts from different logs and I have *NOT* attached the message which could not get delivered - because of its size.

Regards, Kim

Output from "dovecot -n": # 1.1.7: /etc/dovecot.conf # OS: Linux 2.6.27.9-73.fc9.i686 i686 Fedora release 9 (Sulphur) ext3 protocols: imaps listen: * login_dir: /var/run/dovecot/login login_executable: /usr/libexec/dovecot/imap-login mail_location: maildir:/data/mail/%u auth default: passdb: driver: pam userdb: driver: passwd

Here is the mail-log of the incident: Jan 6 02:20:36 jukebox amavis[30505]: (30505-01) Passed CLEAN, [209.85.219.21] pgsql-hackers-owner+M130915@postgresql.org -> kim+pg@alleroedderne.adsl.dk, Message-ID: 6fa3b6e20901051715p2a6b03dbt30ce14e9e2bc796c@mail.gmail.com, mail_id: QsxKXByj4rFd, Hits: -2.599, size: 140563, queued_as: E3E2BBC57D, 10434 ms Jan 6 02:20:36 jukebox postfix/lmtp[32118]: 98350BC57C: to=kim+pg@alleroedderne.adsl.dk, relay=127.0.0.1[127.0.0.1]:10024, delay=24, delays=13/0.06/0.44/10, dsn=2.0.0, status=sent (250 2.0.0Ok: queued as E3E2BBC57D) Jan 6 02:20:36 jukebox postfix/qmgr[2205]: 98350BC57C: removed Jan 6 02:20:36 jukebox deliver(kim): stat(/tmp/dovecot.deliver..1231204836.32131.f6db3d4db5020c54) failed: Permission denied Jan 6 02:20:36 jukebox deliver(kim): copy: i_stream_read() failed: Permission denied Jan 6 02:20:36 jukebox deliver(kim): msgid=6fa3b6e20901051715p2a6b03dbt30ce14e9e2bc796c@mail.gmail.com: save failed to lists.PostgreSQL.Hacker: Internal error occurred. Refer to server log for more information. [2009-01-06 02:20:36] Jan 6 02:20:36 jukebox deliver(kim): sieve runtime error: Fileinto: Generic Error Jan 6 02:20:36 jukebox deliver(kim): sieve_execute_bytecode(/home/kim/.dovecot.sievec) failed Jan 6 02:20:37 jukebox deliver(kim): copy: i_stream_read() failed: No such file or directory Jan 6 02:20:37 jukebox deliver(kim): msgid=6fa3b6e20901051715p2a6b03dbt30ce14e9e2bc796c@mail.gmail.com: save failed to INBOX: Internal error occurred. Refer to server log for more information. [2009-01-06 02:20:36] Jan 6 02:20:37 jukebox postfix/local[32130]: E3E2BBC57D: to=kim+pg@alleroedderne.adsl.dk, relay=local, delay=1.3, delays=0.1/0.18/0/1, dsn=4.3.0, status=deferred (temporary failure)

Here are the lines from selinux once in permissive mode: Jan 6 16:44:28 jukebox setroubleshoot: SELinux is preventing the deliver from using potentially mislabeled files (./tmp). For complete SELinux messages. run sealert -l 4b6a49fd-c1f8-40f9-98fa-dfe971719c69 Jan 6 16:44:29 jukebox setroubleshoot: SELinux is preventing the deliver from using potentially mislabeled files (./tmp). For complete SELinux messages. run sealert -l 19445c54-9537-45ec-8f3e-7718364b1f1f Jan 6 16:44:29 jukebox setroubleshoot: SELinux is preventing the deliver from using potentially mislabeled files (./dovecot.deliver..1231256667.7940.53f0f908f5a97712). For complete SELinux messages. run sealert -l 0cb74c68-0bbb-4de6-a15f-0bb5fdffcf90 Jan 6 16:44:29 jukebox setroubleshoot: SELinux is preventing the deliver from using potentially mislabeled files (2F746D702F646F7665636F742E64656C697665722E2E313233313235363636372E373934302E35336630663930386635613937373132202864656C6574656429). For complete SELinux messages. run sealert -l afe6e0ae-8c2e-4882-925b-b15e26da2a15

And the AVCs for those: node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231439791.493:10819): avc: denied { search } for pid=9073 comm="deliver" name="tmp" dev=sda3 ino=786433 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=jukebox.alleroedderne.adsl.dk type=SYSCALL msg=audit(1231439791.493:10819): arch=40000003 syscall=195 success=no exit=-2 a0=96e0aa0 a1=bfc21120 a2=4f5ff4 a3=bfc21120 items=0 ppid=9072 pid=9073 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver" exe="/usr/libexec/dovecot/deliver" subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)

node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231439791.493:10820): avc: denied { write } for pid=9073 comm="deliver" name="tmp" dev=sda3 ino=786433 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231439791.493:10820): avc: denied { add_name } for pid=9073 comm="deliver" name="dovecot.deliver..1231439791.9073.73e6f9811129f7ec" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231439791.493:10820): avc: denied { create } for pid=9073 comm="deliver" name="dovecot.deliver..1231439791.9073.73e6f9811129f7ec" scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231439791.493:10820): avc: denied { read write } for pid=9073 comm="deliver" name="dovecot.deliver..1231439791.9073.73e6f9811129f7ec" dev=sda3 ino=819452 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=jukebox.alleroedderne.adsl.dk type=SYSCALL msg=audit(1231439791.493:10820): arch=40000003 syscall=5 success=yes exit=12 a0=96e0aa0 a1=80c2 a2=180 a3=80c2 items=0 ppid=9072 pid=9073 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver" exe="/usr/libexec/dovecot/deliver" subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)

node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231256667.462:5562): avc: denied { remove_name } for pid=7940 comm="deliver" name="dovecot.deliver..1231256667.7940.53f0f908f5a97712" dev=sda3 ino=852077 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231256667.462:5562): avc: denied { unlink } for pid=7940 comm="deliver" name="dovecot.deliver..1231256667.7940.53f0f908f5a97712" dev=sda3 ino=852077 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=jukebox.alleroedderne.adsl.dk type=SYSCALL msg=audit(1231256667.462:5562): arch=40000003 syscall=10 success=yes exit=0 a0=8bdfaa0 a1=80c2 a2=8bdfaa0 a3=c items=0 ppid=7939 pid=7940 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver" exe="/usr/libexec/dovecot/deliver" subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)

node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231256667.463:5563): avc: denied { getattr } for pid=7940 comm="deliver" path=2F746D702F646F7665636F742E64656C697665722E2E313233313235363636372E373934302E35336630663930386635613937373132202864656C6574656429 dev=sda3 ino=852077 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=jukebox.alleroedderne.adsl.dk type=SYSCALL msg=audit(1231256667.463:5563): arch=40000003 syscall=197 success=yes exit=0 a0=c a1=bfada72c a2=4f5ff4 a3=8c1c2f8 items=0 ppid=7939 pid=7940 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver" exe="/usr/libexec/dovecot/deliver" subj=system_u:system_r:dovecot_deliver_t:s0 key=(null)