Cyrus IMAP, Saslauthd and SELinux

Daniel J Walsh dwalsh at redhat.com
Wed Jan 4 19:26:55 UTC 2006 

Bob Chiodini wrote:
> I installed FC4 last Friday, and thought I did a complete update, but
> apparently not, since there was a rather large update yesterday that
> included:
>
> Jan 03 09:33:10 Updated: selinux-policy-strict.noarch 1.27.1-2.16
> Jan 03 09:34:17 Updated: selinux-policy-targeted.noarch 1.27.1-2.16
> Jan 03 09:37:56 Updated: selinux-policy-strict-sources.noarch 1.27.1-2.16
> Jan 03 09:39:06 Updated: selinux-policy-targeted-sources.noarch 1.27.1-2.16
>
> Upon rebooting, a relabel occurred.  Since then Cyrus IMAP has not been
> able to authenticate via saslauthd.  If I run saslauthd in debug mode,
> there is no indication of communication from imapd.  Running
> testsaslauthd -u bob -p xxxxxx as root does work.  Also, setting SELinux
> to permissive mode allows imapd to authenticate.
>
> There are no selinux messages in /var/log/messages
> or /var/log/audit/audit.log.  /var/log/maillog presents the following:
>
> badlogin: localhost.localdomain [127.0.0.1] plaintext bob SASL(-13): authentication failure: checkpass failed
>
> and /var/log/messages presents:
>
> saslauthd[3020]: do_auth         : auth failure: [user=bob] [service=imap] [realm=] [mech=shadow] [reason=Unknown]
>
> I suspect that the problem lies with the following:
>
> ls -l --lcontext /var/run/saslauthd
> total 16
> srwxrwxrwx  1 root:object_r:saslauthd_var_run_t root root 0 Jan  4 11:17 mux
> -rw-------  1 root:object_r:saslauthd_var_run_t root root 0 Jan  4 11:17 mux.accept
> -rw-------  1 root:object_r:saslauthd_var_run_t root root 5 Jan  4 11:17 saslauthd.pid
>
> On another FC4 system ls -l --lcontext /var/run/saslauthd produces the
> following:
>
> total 16
> srwxrwxrwx  1 system_u:object_r:saslauthd_var_run_t root root 0 Dec 22 18:53 mux
> -rw-------  1 system_u:object_r:saslauthd_var_run_t root root 0 Dec 22 18:53 mux.accept
> -rw-------  1 system_u:object_r:saslauthd_var_run_t root root 5 Dec 22 18:53 saslauthd.pid
>
> This machine is an x86_64, but has the same selinux policies, has been
> rebooted since they were updated, and selinux is in enforcing mode.
>
> Can some one point in the right direction to correct this problem.
>
> Bob...
>
>   
What avc messages are you seeing?

More information about the fedora-list mailing list