Cyrus IMAP, Saslauthd and SELinux

Bob Chiodini rchiodin at bellsouth.net
Wed Jan 4 16:52:56 UTC 2006 

I installed FC4 last Friday, and thought I did a complete update, but
apparently not, since there was a rather large update yesterday that
included:

Jan 03 09:33:10 Updated: selinux-policy-strict.noarch 1.27.1-2.16
Jan 03 09:34:17 Updated: selinux-policy-targeted.noarch 1.27.1-2.16
Jan 03 09:37:56 Updated: selinux-policy-strict-sources.noarch 1.27.1-2.16
Jan 03 09:39:06 Updated: selinux-policy-targeted-sources.noarch 1.27.1-2.16

Upon rebooting, a relabel occurred.  Since then Cyrus IMAP has not been
able to authenticate via saslauthd.  If I run saslauthd in debug mode,
there is no indication of communication from imapd.  Running
testsaslauthd -u bob -p xxxxxx as root does work.  Also, setting SELinux
to permissive mode allows imapd to authenticate.

There are no selinux messages in /var/log/messages
or /var/log/audit/audit.log.  /var/log/maillog presents the following:

badlogin: localhost.localdomain [127.0.0.1] plaintext bob SASL(-13): authentication failure: checkpass failed

and /var/log/messages presents:

saslauthd[3020]: do_auth         : auth failure: [user=bob] [service=imap] [realm=] [mech=shadow] [reason=Unknown]

I suspect that the problem lies with the following:

ls -l --lcontext /var/run/saslauthd
total 16
srwxrwxrwx  1 root:object_r:saslauthd_var_run_t root root 0 Jan  4 11:17 mux
-rw-------  1 root:object_r:saslauthd_var_run_t root root 0 Jan  4 11:17 mux.accept
-rw-------  1 root:object_r:saslauthd_var_run_t root root 5 Jan  4 11:17 saslauthd.pid

On another FC4 system ls -l --lcontext /var/run/saslauthd produces the
following:

total 16
srwxrwxrwx  1 system_u:object_r:saslauthd_var_run_t root root 0 Dec 22 18:53 mux
-rw-------  1 system_u:object_r:saslauthd_var_run_t root root 0 Dec 22 18:53 mux.accept
-rw-------  1 system_u:object_r:saslauthd_var_run_t root root 5 Dec 22 18:53 saslauthd.pid

This machine is an x86_64, but has the same selinux policies, has been
rebooted since they were updated, and selinux is in enforcing mode.

Can some one point in the right direction to correct this problem.

Bob...

More information about the fedora-list mailing list