Connecting to cyrus via sasl and mysql (pam-mysql.so - plugin)
Roger Grosswiler
roger at gwch.net
Sat Jul 30 16:20:53 UTC 2005
Alexander Dalloz wrote:
>Am Sa, den 30.07.2005 schrieb Roger Grosswiler um 16:25:
>
>
>
>>i cannot connect to my cyrus, whilst selinux enabled. Here the snip of
>>my log:
>>type=AVC msg=audit(1122733280.281:9657218): avc: denied { search } for
>>pid=28898 comm="imapd" name="saslauthd" dev=dm-0 ino=262199
>>scontext=root:system_r:cyrus_t
>>tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>>type=SYSCALL msg=audit(1122733280.281:9657218): arch=40000003
>>syscall=102 success=no exit=-13 a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513
>>items=1 pid=28898 auid=0 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12
>>sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
>>type=SOCKADDR msg=audit(1122733280.281:9657218):
>>saddr=01002F7661722F72756E2F7361736C61757468642F6D75780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>type=SOCKETCALL msg=audit(1122733280.281:9657218): nargs=3 a0=b
>>a1=bfd308fa a2=6e
>>type=PATH msg=audit(1122733280.281:9657218): item=0 flags=1
>>inode=262199 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
>>type=AVC msg=audit(1122733284.635:9659874): avc: denied { search } for
>>pid=28898 comm="imapd" name="saslauthd" dev=dm-0 ino=262199
>>scontext=root:system_r:cyrus_t
>>tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>>type=SYSCALL msg=audit(1122733284.635:9659874): arch=40000003
>>syscall=102 success=no exit=-13 a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513
>>items=1 pid=28898 auid=0 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12
>>sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
>>type=SOCKADDR msg=audit(1122733284.635:9659874):
>>saddr=01002F7661722F72756E2F7361736C61757468642F6D75780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>type=SOCKETCALL msg=audit(1122733284.635:9659874): nargs=3 a0=b
>>a1=bfd308fa a2=6e
>>type=PATH msg=audit(1122733284.635:9659874): item=0 flags=1
>>inode=262199 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
>>
>>
>>...if selinux is in permissive mode, i can connect without any problem.
>>cyrus is set to disabled btw.
>>
>>Roger
>>
>>
>
>Citing from the SELinux list:
>
><quote>
>If you take the number after the ':' in the serial number and use
>ausearch, you
>can make this more understandable. Try:
>
>ausearch -i -a 286451
>
>See if that makes it easier to understand.
></quote>
>
>In your case run:
>ausearch -i -a 9657218
>
>
[root at link ~]# ausearch -i -a 9657218
----
type=PATH msg=audit(07/30/05 16:21:20.281:9657218) : item=0 flags=follow
inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(07/30/05 16:21:20.281:9657218) : nargs=3 a0=b
a1=bfd308fa a2=6e
type=SOCKADDR msg=audit(07/30/05 16:21:20.281:9657218) : saddr=local
/var/run/saslauthd/mux
type=SYSCALL msg=audit(07/30/05 16:21:20.281:9657218) : arch=i386
syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3
a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus
gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail
fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
type=AVC msg=audit(07/30/05 16:21:20.281:9657218) : avc: denied {
search } for pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199
scontext=root:system_r:cyrus_t
tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>ausearch -i -a 9659874
>
>
[root at link ~]# ausearch -i -a 9659874
----
type=PATH msg=audit(07/30/05 16:21:24.635:9659874) : item=0 flags=follow
inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(07/30/05 16:21:24.635:9659874) : nargs=3 a0=b
a1=bfd308fa a2=6e
type=SOCKADDR msg=audit(07/30/05 16:21:24.635:9659874) : saddr=local
/var/run/saslauthd/mux
type=SYSCALL msg=audit(07/30/05 16:21:24.635:9659874) : arch=i386
syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3
a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus
gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail
fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
type=AVC msg=audit(07/30/05 16:21:24.635:9659874) : avc: denied {
search } for pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199
scontext=root:system_r:cyrus_t
tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>Something broke with selinux-policy-targeted-1.25.3-6 update from last
>Thursday? Did your setup run before?
>
>Alexander
>
>
>
>
perhaps it is because i updated from fc3 recently? could be a reason.
Do you have any idea?
Roger
More information about the fedora-list
mailing list