Connecting to cyrus via sasl and mysql (pam-mysql.so - plugin)

Roger Grosswiler roger at gwch.net
Sat Jul 30 16:20:53 UTC 2005 

Alexander Dalloz wrote:

>Am Sa, den 30.07.2005 schrieb Roger Grosswiler um 16:25:
>
>  
>
>>i cannot connect to my cyrus, whilst selinux enabled. Here the snip of
>>my log:
>>type=AVC msg=audit(1122733280.281:9657218): avc:  denied  { search } for
>>pid=28898 comm="imapd" name="saslauthd" dev=dm-0 ino=262199
>>scontext=root:system_r:cyrus_t
>>tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>>type=SYSCALL msg=audit(1122733280.281:9657218): arch=40000003
>>syscall=102 success=no exit=-13 a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513
>>items=1 pid=28898 auid=0 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12
>>sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
>>type=SOCKADDR msg=audit(1122733280.281:9657218):
>>saddr=01002F7661722F72756E2F7361736C61757468642F6D75780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>type=SOCKETCALL msg=audit(1122733280.281:9657218): nargs=3 a0=b
>>a1=bfd308fa a2=6e
>>type=PATH msg=audit(1122733280.281:9657218): item=0 flags=1
>>inode=262199 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
>>type=AVC msg=audit(1122733284.635:9659874): avc:  denied  { search } for
>>pid=28898 comm="imapd" name="saslauthd" dev=dm-0 ino=262199
>>scontext=root:system_r:cyrus_t
>>tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>>type=SYSCALL msg=audit(1122733284.635:9659874): arch=40000003
>>syscall=102 success=no exit=-13 a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513
>>items=1 pid=28898 auid=0 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12
>>sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
>>type=SOCKADDR msg=audit(1122733284.635:9659874):
>>saddr=01002F7661722F72756E2F7361736C61757468642F6D75780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>type=SOCKETCALL msg=audit(1122733284.635:9659874): nargs=3 a0=b
>>a1=bfd308fa a2=6e
>>type=PATH msg=audit(1122733284.635:9659874): item=0 flags=1
>>inode=262199 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
>>
>>
>>...if selinux is in permissive mode, i can connect without any problem.
>>cyrus is set to disabled btw.
>>
>>Roger
>>    
>>
>
>Citing from the SELinux list:
>
><quote>
>If you take the number after the ':' in the serial number and use
>ausearch, you
>can make this more understandable. Try:
>
>ausearch -i -a 286451
>
>See if that makes it easier to understand.
></quote>
>
>In your case run:
>ausearch -i -a 9657218
>  
>
[root at link ~]# ausearch -i -a 9657218
----
type=PATH msg=audit(07/30/05 16:21:20.281:9657218) : item=0 flags=follow 
inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(07/30/05 16:21:20.281:9657218) : nargs=3 a0=b 
a1=bfd308fa a2=6e
type=SOCKADDR msg=audit(07/30/05 16:21:20.281:9657218) : saddr=local 
/var/run/saslauthd/mux
type=SYSCALL msg=audit(07/30/05 16:21:20.281:9657218) : arch=i386 
syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 
a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus 
gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail 
fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
type=AVC msg=audit(07/30/05 16:21:20.281:9657218) : avc:  denied  { 
search } for  pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199 
scontext=root:system_r:cyrus_t 
tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir

>ausearch -i -a 9659874
>  
>
[root at link ~]# ausearch -i -a 9659874
----
type=PATH msg=audit(07/30/05 16:21:24.635:9659874) : item=0 flags=follow 
inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(07/30/05 16:21:24.635:9659874) : nargs=3 a0=b 
a1=bfd308fa a2=6e
type=SOCKADDR msg=audit(07/30/05 16:21:24.635:9659874) : saddr=local 
/var/run/saslauthd/mux
type=SYSCALL msg=audit(07/30/05 16:21:24.635:9659874) : arch=i386 
syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 
a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus 
gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail 
fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
type=AVC msg=audit(07/30/05 16:21:24.635:9659874) : avc:  denied  { 
search } for  pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199 
scontext=root:system_r:cyrus_t 
tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir

>Something broke with selinux-policy-targeted-1.25.3-6 update from last
>Thursday? Did your setup run before?
>
>Alexander
>
>
>  
>
perhaps it is because i updated from fc3 recently? could be a reason.
Do you have any idea?

Roger

More information about the fedora-list mailing list