dovecot_auth_t wants capability audit_write and netlink_audit_socket create

Paul Howarth paul at city-fan.org
Fri Jun 22 07:46:16 UTC 2007 

Daniel Fazekas wrote:
> On Jun 17, 2007, at 16:27, Paul Howarth wrote:
> 
>> I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7)
>> I needed to add the following:
>> # Allow dovecot to check passwords
>> allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
>>
>> before dovecot-auth could run /sbin/unix-update and authenticate IMAP
>> clients.
> 
> I've got pretty much the same problem -- dovecot failing to authenticate 
> IMAP clients through PAM if selinux enforcing is enabled.
> However, even what Paul posted doesn't solve it for me.
> 
> dovecot-1.0.1-12.fc7
> selinux-policy-targeted-2.6.4-14.fc7
> 
> dovecot is left to use the default settings,
>   passdb:
>     driver: pam
>   userdb:
>     driver: passwd
> 
> audit messages I'm getting are like:
> avc:  denied  { execute } for  pid=4978 comm="dovecot-auth" 
> name="unix_update" dev=dm-0 ino=96698486 
> scontext=user_u:system_r:dovecot_auth_t:s0 
> tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file
> 
> other log messages on the failure:
> unix_chkpwd[4911]: could not get username from shadow (username))
> dovecot-auth: pam_unix(dovecot:account): unix_update returned error 9
> dovecot: auth(default): pam(username,addr): lookup service=dovecot
> dovecot: auth(default): pam(username,addr): pam_acct_mgmt() failed: 
> Authentication service cannot retrieve authentication info
> 
> Through a couple iterations of audit2allow and making a new module, I 
> came up with this (pretty much the same Paul posted):
> require {
>         type dovecot_auth_t;
>         type updpwd_exec_t;
>         class file { read execute execute_no_trans };
> }
> allow dovecot_auth_t updpwd_exec_t:file { read execute execute_no_trans };
> 
> Which did succeed in eliminating all audit denial messages, yet it still 
> keeps on failing and authentication still doesn't work.
> 
> As soon as I do
> setenforce 0
> everything starts functioning fine.
> 
> Any ideas how could I make it work without disabling selinux?

The problem was caused by the recent PAM update:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244534

Try updating selinux-policy from updates-testing:
# yum --enablerepo=updates-testing update selinux-policy\*

Paul.

More information about the fedora-selinux-list mailing list