Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1172908 - SELinux is preventing dovecot from using the sys_resource capability.
Summary: SELinux is preventing dovecot from using the sys_resource capability.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 834306
TreeView+ depends on / blocked
 
Reported: 2014-12-11 04:04 UTC by Bill Davidsen
Modified: 2015-02-15 03:29 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-105.3.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-15 03:29:19 UTC
Type: Bug


Attachments (Terms of Use)
Dovecot entries from audit.log (6.98 KB, text/plain)
2014-12-13 20:11 UTC, Bill Davidsen
no flags Details

Description Bill Davidsen 2014-12-11 04:04:46 UTC
Description of problem:
Error message, there is a dovecot process running, I have not determined the stability of the system yet.

Version-Release number of selected component (if applicable):
dovecot.x86_64.1:2.2.15-1.fc21

How reproducible:
Appears to happen as dovecot starts

Steps to Reproduce:
1. yum install sendmail dovecot
2. systemctl enable sendmail dovecot
3.

Actual results:
Warning message from SElinux check

Expected results:
Silent dovcot oeration

Additional info:
Installed from fc21-MATE-x86_64 for testing

Comment 1 Lukas Vrabec 2014-12-11 11:11:22 UTC
Could you attach AVCs (/var/log/audit/audit.log) ?

Comment 2 Bill Davidsen 2014-12-13 20:11:15 UTC
Created attachment 968193 [details]
Dovecot entries from audit.log

I attach the dovecot entries, I will provide the whole log (I saved it) if needed.

Comment 3 Daniel Walsh 2015-01-02 16:48:13 UTC
Was the system running out of memory or process space at the time?

sys_resource means that the process dovecot can ignore its limits on resources like process or open file descriptors.  We usually see this type of thing when a system is being stressed.

Comment 4 Bill Davidsen 2015-01-05 21:29:33 UTC
Unless the normal process of installing the mail components and starting them will exceed sane limits, no. This was initial setup for testing, installing enough system software to run as a normal desktop. This was either a VM configured as a remote access host (1GB RAM, 2GB swap, 6GB disk, running off SSD), or a laptop, 2GB RAM, otherwise ~200GB disk.

Comment 5 Miroslav Grepl 2015-01-06 10:55:08 UTC
Lets also ask dovecot maintainer.

Comment 6 Michal Hlavinka 2015-01-06 14:04:48 UTC
Dovecot uses setrlimit and changes it's limit (sometime increase, sometime decrease) to match it's needs and not waste too much (if something goes wrong).

for example login process:

static void main_preinit(bool allow_core_dumps)
{
...
...
/* set the number of fds we want to use. it may get increased or
    decreased. leave a couple of extra fds for auth sockets and such.

    worst case each connection can use:

    - 1 for client
    - 1 for login proxy
    - 2 for client-side ssl proxy
    - 2 for server-side ssl proxy (with login proxy)
*/
max_fds = MASTER_LISTEN_FD_FIRST + 16 +
        master_service_get_socket_count(master_service) +
        master_service_get_client_limit(master_service)*6;
restrict_fd_limit(max_fds);
^^^ calls setrlimit(RLIMIT_NOFILE,...

Comment 7 Daniel Walsh 2015-02-01 13:03:54 UTC
7f66b60e21bac02dadbb71be1d305b44622db4f6 allows this in git.

Comment 8 Lukas Vrabec 2015-02-02 10:54:40 UTC
commit 8302ce68ee7c9b03a7d0958faf176da3a1cbbcec
Author: Dan Walsh <dwalsh>
Date:   Sun Feb 1 08:03:23 2015 -0500

    Allow dovecot domains to use sys_resouce

Comment 9 Fedora Update System 2015-02-05 13:15:20 UTC
selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21

Comment 10 Fedora Update System 2015-02-06 04:03:54 UTC
Package selinux-policy-3.13.1-105.3.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2015-02-15 03:29:19 UTC
selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.