Bug 241484

Summary: saslauthd can't authenticate against PAM with SELinux enforcing
Product: [Fedora] Fedora Reporter: Nils Philippsen <nphilipp>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-29 14:40:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Philippsen 2007-05-26 14:32:35 UTC
Description of problem:

When trying to log into my Cyrus imapd (which uses saslauthd, which in turn
checks credentials with PAM), I get an authentication error with SELinux
enabled/enforcing. When running permissive, all works as expected.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-8.fc7
cyrus-sasl-2.1.22-6

How reproducible:
Easy

Steps to Reproduce:
1. With saslauthd running (configured to use PAM, as is the default) and SELinux
enabled/enforcing, use testsaslauthd to check one of the local unix accounts:

nils@wombat:~> testsaslauthd -u nils -p <my password>

Alternatively, try to log into a service that uses saslauthd for authentication
  
Actual results:
0: NO "authentication failed"

Expected results:
No error

Additional info:

This is the AVC denial alert I got from setroubleshoot:

Source Context:  user_u:system_r:saslauthd_t
Target Context:  user_u:system_r:saslauthd_t
Target Objects:  None [ netlink_audit_socket ]
Affected RPM Packages:  cyrus-sasl-2.1.22-6 [application]
Policy RPM:  selinux-policy-2.6.4-8.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  wombat
Platform:  Linux wombat 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:47:07 EDT 2007
x86_64 x86_64
Alert Count:  4
First Seen:  Sat 26 May 2007 03:55:38 PM CEST
Last Seen:  Sat 26 May 2007 04:05:56 PM CEST
Local ID:  7961a9bf-5215-461d-8877-12857f6f3e92
Line Numbers:

Raw Audit Messages :

avc: denied { create } for comm="saslauthd" egid=0 euid=0
exe="/usr/sbin/saslauthd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20133
scontext=user_u:system_r:saslauthd_t:s0 sgid=0
subj=user_u:system_r:saslauthd_t:s0 suid=0 tclass=netlink_audit_socket
tcontext=user_u:system_r:saslauthd_t:s0 tty=(none) uid=0

Comment 1 Nils Philippsen 2007-05-26 21:14:07 UTC
Got these 2 additional denials as well, but this was already when running
permissive:

#1:

Summary
    SELinux is preventing /usr/sbin/saslauthd (saslauthd_t) "audit_write" to
    <Unknown> (saslauthd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/saslauthd. It is not expected
    that this access is required by /usr/sbin/saslauthd and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:saslauthd_t
Target Context                user_u:system_r:saslauthd_t
Target Objects                None [ capability ]
Affected RPM Packages         cyrus-sasl-2.1.22-6 [application]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     wombat
Platform                      Linux wombat 2.6.21-1.3194.fc7 #1 SMP Wed May 23
                              22:47:07 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 26 May 2007 11:08:36 PM CEST
Last Seen                     Sat 26 May 2007 11:08:36 PM CEST
Local ID                      6932edc5-fe2b-4342-b5ea-5d895566d060
Line Numbers                  

Raw Audit Messages            

avc: denied { audit_write } for comm="saslauthd" egid=0 euid=0
exe="/usr/sbin/saslauthd" exit=120 fsgid=0 fsuid=0 gid=0 items=0 pid=16318
scontext=user_u:system_r:saslauthd_t:s0 sgid=0
subj=user_u:system_r:saslauthd_t:s0 suid=0 tclass=capability
tcontext=user_u:system_r:saslauthd_t:s0 tty=(none) uid=0

and #2:

Summary
    SELinux is preventing /usr/sbin/saslauthd (saslauthd_t) "read" to <Unknown>
    (saslauthd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/saslauthd. It is not expected
    that this access is required by /usr/sbin/saslauthd and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:saslauthd_t
Target Context                user_u:system_r:saslauthd_t
Target Objects                None [ netlink_audit_socket ]
Affected RPM Packages         cyrus-sasl-2.1.22-6 [application]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     wombat
Platform                      Linux wombat 2.6.21-1.3194.fc7 #1 SMP Wed May 23
                              22:47:07 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 26 May 2007 11:08:36 PM CEST
Last Seen                     Sat 26 May 2007 11:08:36 PM CEST
Local ID                      a85ce800-c9b7-40d6-9f10-9b405ad61fc1
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="saslauthd" egid=0 euid=0
exe="/usr/sbin/saslauthd" exit=36 fsgid=0 fsuid=0 gid=0 items=0 pid=16318
scontext=user_u:system_r:saslauthd_t:s0 sgid=0
subj=user_u:system_r:saslauthd_t:s0 suid=0 tclass=netlink_audit_socket
tcontext=user_u:system_r:saslauthd_t:s0 tty=(none) uid=0


Comment 2 Nils Philippsen 2007-05-28 11:35:46 UTC
And another one:

Summary
    SELinux is preventing /usr/sbin/saslauthd (saslauthd_t) "nlmsg_relay" to
    <Unknown> (saslauthd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/saslauthd. It is not expected
    that this access is required by /usr/sbin/saslauthd and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:saslauthd_t
Target Context                user_u:system_r:saslauthd_t
Target Objects                None [ netlink_audit_socket ]
Affected RPM Packages         cyrus-sasl-2.1.22-6 [application]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     wombat
Platform                      Linux wombat 2.6.21-1.3194.fc7 #1 SMP Wed May 23
                              22:47:07 EDT 2007 x86_64 x86_64
Alert Count                   7
First Seen                    Sun 27 May 2007 06:12:09 PM CEST
Last Seen                     Sun 27 May 2007 08:12:09 PM CEST
Local ID                      6c127942-8b52-4e2d-b3cc-ae6cf0baecbb
Line Numbers                  

Raw Audit Messages            

avc: denied { nlmsg_relay } for comm="saslauthd" egid=0 euid=0
exe="/usr/sbin/saslauthd" exit=120 fsgid=0 fsuid=0 gid=0 items=0 pid=16321
scontext=user_u:system_r:saslauthd_t:s0 sgid=0
subj=user_u:system_r:saslauthd_t:s0 suid=0 tclass=netlink_audit_socket
tcontext=user_u:system_r:saslauthd_t:s0 tty=(none) uid=0



Comment 3 Daniel Walsh 2007-05-29 14:40:41 UTC

*** This bug has been marked as a duplicate of 241432 ***