update from fc3 -> fc4: cyrus/sasl-errors

Roger Grosswiler roger at gwch.net
Thu Aug 11 10:07:48 UTC 2005 

> It's a problem with the policy not with a relabel.
>
> audit2allow <insert /var/log/auditd/auditd.log>
>
> will give you a policy statement to work with...
>
>
> HTH,
> Harry
>
>
>
> On Sun, 31 Jul 2005, Bobby Kashani wrote:
>
>> On Sun, 2005-07-31 at 15:22 +0200, Roger Grosswiler wrote:
>> > hi,
>> >
>> > i recently updated from fc3 to fc4. i use this machine as a mailserver
>> > with cyrus. 1st problem was the database - fixed issue. now, on
>> > authentication, i get errors, will say, with selinux enforcing i
>> cannot
>> > authenticate at all.
>> >
>> > from the fc-list i got some help, with a few commands, that should
>> help
>> > better understanding. What can i do, to have this box with selinux
>> > enforcing enabled? ah, yes, in permissive mode it works fine.
>>
>> Have you tried doing a "touch /.autorelabel" and rebooting?
>>
>> Bob
>>
>> > here a sniplet of my logs:
>> > > [root at link ~]# ausearch -i -a 9657218
>> > > ----
>> > > type=PATH msg=audit(07/30/05 16:21:20.281:9657218) : item=0
>> flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root
>> rdev=00:00
>> > > type=SOCKETCALL msg=audit(07/30/05 16:21:20.281:9657218) : nargs=3
>> a0=b a1=bfd308fa a2=6e
>> > > type=SOCKADDR msg=audit(07/30/05 16:21:20.281:9657218) : saddr=local
>> /var/run/saslauthd/mux
>> > > type=SYSCALL msg=audit(07/30/05 16:21:20.281:9657218) : arch=i386
>> syscall=socketcall(connect) success=no exit=-13(Permission denied)
>> a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root
>> uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail
>> sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
>> > > type=AVC msg=audit(07/30/05 16:21:20.281:9657218) : avc:  denied  {
>> search } for  pid=28898 comm=imapd name=saslauthd dev=dm-0
>> ino=262199 scontext=root:system_r:cyrus_t
>> tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>> > >
>> > >> ausearch -i -a 9659874
>> > >>
>> > >>
>> > > [root at link ~]# ausearch -i -a 9659874
>> > > ----
>> > > type=PATH msg=audit(07/30/05 16:21:24.635:9659874) : item=0
>> flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root
>> rdev=00:00
>> > > type=SOCKETCALL msg=audit(07/30/05 16:21:24.635:9659874) : nargs=3
>> a0=b a1=bfd308fa a2=6e
>> > > type=SOCKADDR msg=audit(07/30/05 16:21:24.635:9659874) : saddr=local
>> /var/run/saslauthd/mux
>> > > type=SYSCALL msg=audit(07/30/05 16:21:24.635:9659874) : arch=i386
>> syscall=socketcall(connect) success=no exit=-13(Permission denied)
>> a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root
>> uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail
>> sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
>> > > type=AVC msg=audit(07/30/05 16:21:24.635:9659874) : avc:  denied  {
>> search } for  pid=28898 comm=imapd name=saslauthd dev=dm-0
>> ino=262199 scontext=root:system_r:cyrus_t
>> tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>> >
>> >
>> > i hope, you can help.
>> >
>> > Thanks a lot
>> > Roger
>> >
>> >
>> > --
>> > fedora-selinux-list mailing list
>> > fedora-selinux-list at redhat.com
>> > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> --
>> Bobby Kashani
>> http://www.ocf.berkeley.edu/~bobk/garnome
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
Hi,

i am completely unexperienced in selinux, but i was trying changing the
policy local.te and added the following:

allow saslauthd_t initrc_t:unix_stream_socket connectto;
allow saslauthd_t mysqld_db_t:dir search;
allow saslauthd_t mysqld_var_run_t:sock_file write;
allow saslauthd_t var_lib_t:dir search;


...since then, it is working. My imap authenticates agains sasl which uses
mysql for user-authentication (pam_mysql.so)

can any expert say, if i openend a hole in my security other than
authentication?

Thanks
roger

More information about the fedora-selinux-list mailing list