dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[Daniel Fazekas]

On Jun 17, 2007, at 16:27, Paul Howarth wrote:

> I've still got a problem with dovecot-auth (selinux- 
> policy-2.6.4-14.fc7)
> I needed to add the following:
> # Allow dovecot to check passwords
> allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
>
> before dovecot-auth could run /sbin/unix-update and authenticate IMAP
> clients.

I've got pretty much the same problem -- dovecot failing to  
authenticate IMAP clients through PAM if selinux enforcing is enabled.
However, even what Paul posted doesn't solve it for me.

dovecot-1.0.1-12.fc7
selinux-policy-targeted-2.6.4-14.fc7

dovecot is left to use the default settings,
   passdb:
     driver: pam
   userdb:
     driver: passwd

audit messages I'm getting are like:
avc:  denied  { execute } for  pid=4978 comm="dovecot-auth"  
name="unix_update" dev=dm-0 ino=96698486  
scontext=user_u:system_r:dovecot_auth_t:s0  
tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file

other log messages on the failure:
unix_chkpwd[4911]: could not get username from shadow (username))
dovecot-auth: pam_unix(dovecot:account): unix_update returned error 9
dovecot: auth(default): pam(username,addr): lookup service=dovecot
dovecot: auth(default): pam(username,addr): pam_acct_mgmt() failed:  
Authentication service cannot retrieve authentication info

Through a couple iterations of audit2allow and making a new module, I  
came up with this (pretty much the same Paul posted):
require {
         type dovecot_auth_t;
         type updpwd_exec_t;
         class file { read execute execute_no_trans };
}
allow dovecot_auth_t updpwd_exec_t:file { read execute  
execute_no_trans };

Which did succeed in eliminating all audit denial messages, yet it  
still keeps on failing and authentication still doesn't work.

As soon as I do
setenforce 0
everything starts functioning fine.

Any ideas how could I make it work without disabling selinux?