new dovecot, selinux Problem ?

Günther J. Niederwimmer gjn at gjn.priv.at
Fri Jul 12 18:26:21 EEST 2019 

Hello List,
after the last update I have a selinux "Problem" with dovecot.
My system is a centos 7.

After a new start from dovecot selinux block a connection.

Jul 12 16:24:24 mx01 systemd: Starting Dovecot IMAP/POP3 email server...
Jul 12 16:24:54 mx01 systemd: Started Dovecot IMAP/POP3 email server.
Jul 12 16:24:54 mx01 dovecot: Warning: Corrected permissions for login 
directory /var/run/dovecot/token-login
Jul 12 16:24:54 mx01 dbus[3008]: [system] Activating service 
name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jul 12 16:24:55 mx01 dbus[3008]: [system] Successfully activated service 
'org.fedoraproject.Setroubleshootd'
Jul 12 16:24:55 mx01 setroubleshoot: SELinux is preventing dovecot from 
getattr access on the file /proc/sys/fs/suid_dumpable. For complete SELinux 
messages run: sealert -l c46ae6a7-64c4-49a7-9e3d-477547fb6da8
Jul 12 16:24:55 mx01 python: SELinux is preventing dovecot from getattr access 
on the file /proc/sys/fs/suid_dumpable.#012#012*****  Plugin catchall (100. 
confidence) suggests   **************************#012#012If you believe that 
dovecot should be allowed getattr access on the suid_dumpable file by 
default.#012Then you should report this as a bug.#012You can generate a local 
policy module to allow this access.#012Do#012allow this access for now by 
executing:#012# ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot#012# 
semodule -i my-dovecot.pp#012

is this a bad Error?

When I install this local Policy i have a Problem with selinux wrong policy.

sealert -a /var/log/audit/audit.log
 13% donetype=AVC msg=audit(1562936830.462:61868): avc:  denied  { getattr } 
for  pid=31288 comm="dovecot" path="/proc/sys/fs/suid_dumpable" dev="proc" 
ino=35734 scontext=system_u:system_r:dovecot_t:s0 
tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
 
**** Invalid AVC allowed in current policy ***

100% done
found 0 alerts in /var/log/audit/audit.log


Can any tell / help me for a correct installation?

-- 
mit freundliche Grüßen / best regards,

  Günther J. Niederwimmer

More information about the dovecot mailing list