Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1172908

Summary: SELinux is preventing dovecot from using the sys_resource capability.
Product: [Fedora] Fedora Reporter: Bill Davidsen <davidsen>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 21CC: davidsen, dominick.grift, dwalsh, janfrode, lvrabec, mgrepl, mhlavink, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-105.3.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-15 03:29:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 834306    
Attachments:
Description Flags
Dovecot entries from audit.log none

Description Bill Davidsen 2014-12-11 04:04:46 UTC 
Description of problem:
Error message, there is a dovecot process running, I have not determined the stability of the system yet.

Version-Release number of selected component (if applicable):
dovecot.x86_64.1:2.2.15-1.fc21

How reproducible:
Appears to happen as dovecot starts

Steps to Reproduce:
1. yum install sendmail dovecot
2. systemctl enable sendmail dovecot
3.

Actual results:
Warning message from SElinux check

Expected results:
Silent dovcot oeration

Additional info:
Installed from fc21-MATE-x86_64 for testing
Comment 1 Lukas Vrabec 2014-12-11 11:11:22 UTC 
Could you attach AVCs (/var/log/audit/audit.log) ?
Comment 2 Bill Davidsen 2014-12-13 20:11:15 UTC 
Created attachment 968193 [details]
Dovecot entries from audit.log

I attach the dovecot entries, I will provide the whole log (I saved it) if needed.
Comment 3 Daniel Walsh 2015-01-02 16:48:13 UTC 
Was the system running out of memory or process space at the time?

sys_resource means that the process dovecot can ignore its limits on resources like process or open file descriptors.  We usually see this type of thing when a system is being stressed.
Comment 4 Bill Davidsen 2015-01-05 21:29:33 UTC 
Unless the normal process of installing the mail components and starting them will exceed sane limits, no. This was initial setup for testing, installing enough system software to run as a normal desktop. This was either a VM configured as a remote access host (1GB RAM, 2GB swap, 6GB disk, running off SSD), or a laptop, 2GB RAM, otherwise ~200GB disk.
Comment 5 Miroslav Grepl 2015-01-06 10:55:08 UTC 
Lets also ask dovecot maintainer.
Comment 6 Michal Hlavinka 2015-01-06 14:04:48 UTC 
Dovecot uses setrlimit and changes it's limit (sometime increase, sometime decrease) to match it's needs and not waste too much (if something goes wrong).

for example login process:

static void main_preinit(bool allow_core_dumps)
{
...
...
/* set the number of fds we want to use. it may get increased or
    decreased. leave a couple of extra fds for auth sockets and such.

    worst case each connection can use:

    - 1 for client
    - 1 for login proxy
    - 2 for client-side ssl proxy
    - 2 for server-side ssl proxy (with login proxy)
*/
max_fds = MASTER_LISTEN_FD_FIRST + 16 +
        master_service_get_socket_count(master_service) +
        master_service_get_client_limit(master_service)*6;
restrict_fd_limit(max_fds);
^^^ calls setrlimit(RLIMIT_NOFILE,...
Comment 7 Daniel Walsh 2015-02-01 13:03:54 UTC 
7f66b60e21bac02dadbb71be1d305b44622db4f6 allows this in git.
Comment 8 Lukas Vrabec 2015-02-02 10:54:40 UTC 
commit 8302ce68ee7c9b03a7d0958faf176da3a1cbbcec
Author: Dan Walsh <dwalsh>
Date:   Sun Feb 1 08:03:23 2015 -0500

    Allow dovecot domains to use sys_resouce
Comment 9 Fedora Update System 2015-02-05 13:15:20 UTC 
selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21
Comment 10 Fedora Update System 2015-02-06 04:03:54 UTC 
Package selinux-policy-3.13.1-105.3.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2015-02-15 03:29:19 UTC 
selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.