SELinux is preventing dovecot from using the sys_resource capability

Tieum · #1 10th October 2012, 02:42 PM

Hello,

I have 2 machines with dovecot and SElinux installed. One is x86_64 the other one is armv6l. They have the same dovecot configuration.

On the x86_64 one, dovecot runs with no problem. On the ARM one dovecot is denied runnig by SELinux:

SELinux is preventing dovecot from using the sys_resource capability.

***** Plugin sys_resource (91.4 confidence) suggests ***********************

If you do not want to get this AVC any longer. These AVC's are caused by running out of resources, usually disk space on your / partition.
Then you must cleanup diskspace or make sure you are not running too many processes.
Do
clear up your disk.

If I disable selinux, dovecot runs fine. Root partition is far from full:

]# df -h
Filesystem Size Used Avail Use% Mounted on
rootfs 7.1G 4.8G 2.0G 71% /
/dev/root 7.1G 4.8G 2.0G 71% /
devtmpfs 115M 0 115M 0% /dev
tmpfs 115M 0 115M 0% /dev/shm
tmpfs 115M 716K 115M 1% /run
tmpfs 115M 0 115M 0% /sys/fs/cgroup
tmpfs 115M 0 115M 0% /media
/dev/mapper/mail 3.6G 1.2G 2.3G 34% /home/mail

Any idea why it does not behave the same on both architectures and how to have dovecot running without setting a special policy for it on ARM?

Thanks.

Skull One · #2 10th October 2012, 03:16 PM

I wonder if the versions are the same between x86_64 and ARM.
Could you check it on each machine?

Code:

rpm -q selinux-policy

Tieum · #3 10th October 2012, 04:00 PM

Both have selinux-policy-3.10.0-149.fc17.noarch

jpollard · #4 10th October 2012, 04:35 PM

How about inode counts? Running out of inodes will cause problems too.

Tieum · #5 10th October 2012, 04:37 PM

Looks good too:

# df -i
Filesystem Inodes IUsed IFree IUse% Mounted on
rootfs 456576 159722 296854 35% /
/dev/root 456576 159722 296854 35% /
devtmpfs 29378 371 29007 2% /dev
tmpfs 29399 1 29398 1% /dev/shm
tmpfs 29399 321 29078 2% /run
tmpfs 29399 10 29389 1% /sys/fs/cgroup
tmpfs 29399 1 29398 1% /media
/dev/mapper/mail 236640 7673 228967 4% /home/mail

ddreggors · #6 11th October 2012, 02:39 AM

This looks very similar to a previously closed bug.

Take a look at this bug
https://bugzilla.redhat.com/show_bug.cgi?id=801909

It may be a regression.

Skull One · #7 11th October 2012, 07:53 AM

I have no clues... It is weird to have something working on one machine and not the other, for the same configuration.
But could you post the full AVC:

Code:

grep dovecot /var/log/audit/audit.log

Tieum · #8 11th October 2012, 09:13 AM

I removed the numerous USER_AUTH and USER_ACCT lines:

Typical log when selinux is activated:

type=SERVICE_START msg=audit(1348999815.760:17): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dovecot" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1348999817.160:19): avc: denied { sys_resource } for pid=616 comm="dovecot" capability=24 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability
type=SERVICE_STOP msg=audit(1348999817.270:20): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dovecot" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Typical log when selinux is set to permissive

type=SERVICE_START msg=audit(1348999814.500:17): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dovecot" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1348999815.730:18): avc: denied { sys_resource } for pid=619 comm="dovecot" capability=24 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability

Skull One · #9 11th October 2012, 10:35 AM

Is your ARM server a bigger server than the x86_64?

Here is what I suppose is hapening: on the ARM machine, dovecot has reached one of its resource limit (but which one???) and try to expand it, but this capability is not allowed by SELinux; and on the x86_64 machine, dovecot is still under its resource limits, so no problems.

So, I can think of two possibilities to fix it:
- check the system limits and adjust the values (this said, I do not know really which one, so you will have to play with sysctl);
- add locally the missing capability to the policy, ~~and maybe fill a bug report with the AVC denial~~.

---------- Post added at 09:35 AM ---------- Previous post was at 09:13 AM ----------

I do not know if it is really related, but just in case, look at
http://blog.foaa.de/2010/07/dovecot-...ts-and-debian/

By the way, is something reported in dovecot logs?

Tieum · #10 11th October 2012, 04:35 PM

ARM is by all means a more limited machine then x86_64 (raspberry pi vs. 4-core 3 years old machine)

Good catch on dovecot logs:

dovecot: master: Fatal: setrlimit(RLIMIT_NPROC, 1842): Operation not permitted

I checked /etc/security/limits.conf on the ARM server and there are no values set for nproc

Skull One · #11 11th October 2012, 04:41 PM

Not sure, but try to adjust parameters in '/etc/dovecot/conf.d/10-master.conf', for instance 'default_process_limit', etc...