Bug 1564348

Summary: PAM authentication no longer working with dovecot 2.3.1 (patch included)
Product: [Fedora] Fedora Reporter: Helmut K. C. Tessarek <tessarek>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: bennie.joubert, cummings, dan, dominik, janfrode, mhlavink, pokorra.mailinglists
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-13 15:46:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
%patch11 for spec file none

Description Helmut K. C. Tessarek 2018-04-06 03:16:31 UTC 
Created attachment 1417937 [details]
%patch11 for spec file

After upgrading to 2.3.x, PAM authentication stopped working:

Error in system's security log:

PAM audit_log_acct_message() failed: Operation not permitted

Error in dovecot.log:

auth-worker(*REMOVED*): Info: pam(*REMOVED*): pam_authenticate() failed: System error

Removing NoNewPrivileges=true and adding CAP_AUDIT_WRITE to CapabilityBoundingSet fixes this error.

It seems the option NoNewPrivileges=true is not only a problem for apparmor, but also for PAM.

see also: https://github.com/dovecot/core/pull/71

I've attached a patch that can be used as %patch11 in the spec file.
Comment 1 Michal Hlavinka 2018-08-13 15:46:54 UTC 
this change should be already included
Comment 2 Helmut K. C. Tessarek 2018-08-13 15:57:21 UTC 
No, it isn't. At least not in 2.3.1. They finally fixed that in 2.3.2.
Comment 3 Michal Hlavinka 2018-08-14 08:11:27 UTC 
rawhide contains dovecot 2.3.2.1