dovecot_auth_t wants capability audit_write and netlink_audit_socket create
Paul Howarth
paul at city-fan.org
Fri Jun 22 07:46:16 UTC 2007
Daniel Fazekas wrote:
> On Jun 17, 2007, at 16:27, Paul Howarth wrote:
>
>> I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7)
>> I needed to add the following:
>> # Allow dovecot to check passwords
>> allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
>>
>> before dovecot-auth could run /sbin/unix-update and authenticate IMAP
>> clients.
>
> I've got pretty much the same problem -- dovecot failing to authenticate
> IMAP clients through PAM if selinux enforcing is enabled.
> However, even what Paul posted doesn't solve it for me.
>
> dovecot-1.0.1-12.fc7
> selinux-policy-targeted-2.6.4-14.fc7
>
> dovecot is left to use the default settings,
> passdb:
> driver: pam
> userdb:
> driver: passwd
>
> audit messages I'm getting are like:
> avc: denied { execute } for pid=4978 comm="dovecot-auth"
> name="unix_update" dev=dm-0 ino=96698486
> scontext=user_u:system_r:dovecot_auth_t:s0
> tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file
>
> other log messages on the failure:
> unix_chkpwd[4911]: could not get username from shadow (username))
> dovecot-auth: pam_unix(dovecot:account): unix_update returned error 9
> dovecot: auth(default): pam(username,addr): lookup service=dovecot
> dovecot: auth(default): pam(username,addr): pam_acct_mgmt() failed:
> Authentication service cannot retrieve authentication info
>
> Through a couple iterations of audit2allow and making a new module, I
> came up with this (pretty much the same Paul posted):
> require {
> type dovecot_auth_t;
> type updpwd_exec_t;
> class file { read execute execute_no_trans };
> }
> allow dovecot_auth_t updpwd_exec_t:file { read execute execute_no_trans };
>
> Which did succeed in eliminating all audit denial messages, yet it still
> keeps on failing and authentication still doesn't work.
>
> As soon as I do
> setenforce 0
> everything starts functioning fine.
>
> Any ideas how could I make it work without disabling selinux?
The problem was caused by the recent PAM update:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244534
Try updating selinux-policy from updates-testing:
# yum --enablerepo=updates-testing update selinux-policy\*
Paul.
More information about the fedora-selinux-list
mailing list