Bug 244859

Summary: SELinux prevents dovecot from logging in a user.
Product: [Fedora] Fedora Reporter: Tom Martin <tlmartin>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: dwalsh, steve30401
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-26 10:07:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Martin 2007-06-19 14:50:59 UTC 
Description of problem:

SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t) "read"
to /sbin/unix_update (updpwd_exec_t).

Version-Release number of selected component (if applicable):

selinux-policy-2.6.4-14.fc7
libselinux-2.0.13-1.fc7
selinux-policy-targeted-2.6.4-14.fc7
libselinux-devel-2.0.13-1.fc7
libselinux-python-2.0.13-1.fc7

dovecot-1.0.0-11.fc7




How reproducible:

Setting SELinux to enforcing causes dovecot to not allow logins.  Setting
SELinux to permissive allows logins.

This started after upgrading on June 18.  The previous version of SELinux policy
was selinux-policy.noarch 2.6.4-13.fc7.




Additional info:

I've used audit2allow to create policies that should correct this, but without
success.  With the modules in place, I still get messages such as this:

type=USER_AUTH msg=audit(1182262859.537:329): user pid=8856 uid=0 auid=500 subj=
user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tlmartin : exe="
/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0
.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1182262859.537:330): user pid=8856 uid=0 auid=500 subj=
user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tlmartin : exe="/usr
/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1
, terminal=dovecot res=failed)'
Comment 1 Daniel Walsh 2007-06-19 14:59:34 UTC 
Fixed in selinux-policy-2.6.4-17
Comment 2 Stephen Sentoff 2007-06-22 02:18:14 UTC 
I'm on 
dovecot-1.0.0-11.fc7
selinux-policy-2.6.4-14.fc7
selinux-policy-targeted-2.6.4-14.fc7

and I've got a very similar problem:
SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t)
"execute" to unix_update (updpwd_exec_t)

Will 2.6.4-17 fix this as well?  Thanks.
Comment 3 Daniel Walsh 2007-06-22 13:44:56 UTC 
21 will and it was just released.
Comment 4 Daniel Rowe 2007-06-25 12:47:05 UTC 
Hi

I am getting the same:

type=USER_AUTH msg=audit(1182775569.327:10269): user pid=6361 uid=0 auid=500
subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=bart :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1,
addr=::ffff:127.0.0.1, terminal=dovecot res=failed)'

selinux-policy-2.6.4-14.fc7
selinux-policy-targeted-2.6.4-14.fc7
Comment 5 Stephen Sentoff 2007-06-26 00:45:51 UTC 
I've loaded selinux-policy-targeted-2.6.4-21.fc7 from testing and can confirm
this fixes the problem. Thanks.