Bug 320461

Summary: SELinux prevents Dovecot from authenticating NIS users
Product: [Fedora] Fedora Reporter: Leonid Zeitlin <lz>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7CC: nalin, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current\ Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-10 21:05:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Messages in audit log none

Description Leonid Zeitlin 2007-10-05 16:57:12 UTC 
Description of problem:
Dovecot is running in the machine with SELinux enabled.

The machine is set up as a NIS client. Users are authenticated against a remote 
NIS server. Users are able to log in via ssh, which indicates that NIS is 
working.

User's home directories are mounted via NFS from a remote server (maybe this is 
not relevant).

Under these circumstances Dovecot rejects valid user name and passord:
# telnet myhost pop-3
Trying 192.168.1.1...
Connected to myhost.
Escape character is '^]'.
+OK Dovecot ready.
user lz
+OK
pass xxxxx
-ERR Authentication failed.

Strangely, audit log does not report any AVC denials. All it has is the 
following:

type=USER_AUTH msg=audit(1191602825.914:385610): user pid=2751 uid=0 auid=0 subj
=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=lz : exe="/usr/li
bexec/dovecot/dovecot-auth" (hostname=192.168.1.1, addr=192.168.1.1, terminal=
dovecot res=failed)'

Secure log has the following:

unix_chkpwd[2752]: check pass; user unknown
unix_chkpwd[2752]: password check failed for user (lz)
dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 
euid=0 tty=dovecot ruser= rhost=192.168.1.1  user=lz

Note a stange thing: unix_chkpwd is a PAM helper utility that verifies the 
pasword in local shadow file. It is not supposed to be called, as user 
information should come from NIS.

When SELinux is disabled, the same user can log in successfully. 

A user that is entered to the local /etc/passwd and /etc/shadow files is able 
to log in even when SELinux is enabled. So this seems to be something between 
SELinux and NIS.

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-46.fc7
dovecot-1.0.3-14.fc7
ypbind-1.19-9.fc7
yp-tools-2.9-0.1

How reproducible:
Always

Steps to Reproduce:
1. Setup a computer as NIS client
2. Start Dovecot
3. Enable SELinux
4. Try logging in to Dovecot via POP-3

  
Actual results:
Login is denied

Expected results:
Login is allowed

Additional info:
Comment 1 Daniel Walsh 2007-10-05 19:00:54 UTC 
Is the allow_ypbind boolean turned on?

getsebool -a | grep allow_ypbind

setsebool -P allow_ypbind 1
Comment 2 Leonid Zeitlin 2007-10-06 09:15:42 UTC 
allow_ypbind is on:

# getsebool allow_ypbind
allow_ypbind --> on
Comment 3 Daniel Walsh 2007-10-06 13:00:39 UTC 
When you say you run it with selinux disabled are you talking about permissive
mode, or totally disabled?

Have you tried it in permissive mode,   Does it work?  Does it generate avcs?

Could you try to enable audit messages and see if that gives us a clue.

semodule -b /usr/share/selinux/targeted/enableaudit.pp

Run your test

See if this genrates avc's.

semodule -b /usr/share/selinux/targeted/base.pp 

will put the dontaudit rules back.
Comment 4 Leonid Zeitlin 2007-10-06 15:39:09 UTC 
Sorry for not being clear. By "SELinux disabled" I really meant permissive 
mode. It didn't work and generated no AVC messages.

When I followed your suggestion to enable audit messages, I got messages in the 
audit log that I am attaching. Hope they will shed some light.
Comment 5 Leonid Zeitlin 2007-10-06 15:40:44 UTC 
Created attachment 218461 [details]
Messages in audit log

Messages is audit log when logging it to dovecot
Comment 6 Daniel Walsh 2007-10-08 14:59:33 UTC 
Ok can you try to add those rules to policy and see if the app works in
enforcing mode.

# grep dovecot_auth /var/log/audit/audit.log | grep -v shadow | audit2allow -M
mydovecot
# semodule -i mydovecot.pp
Comment 7 Leonid Zeitlin 2007-10-08 15:57:54 UTC 
It worked! Here's the content of mydovecot.te:

module mydovecot 1.0;

require {
        type system_chkpwd_t;
        type selinux_config_t;
        type security_t;
        type dovecot_auth_t;
        type dhcpd_port_t;
        type hi_reserved_port_t;
        class process { siginh noatsecure rlimitinh };
        class capability net_bind_service;
        class file read;
        class filesystem getattr;
        class udp_socket name_bind;
        class dir search;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t dhcpd_port_t:udp_socket name_bind;
allow dovecot_auth_t hi_reserved_port_t:udp_socket name_bind;
allow dovecot_auth_t security_t:dir search;
allow dovecot_auth_t security_t:file read;
allow dovecot_auth_t security_t:filesystem getattr;
allow dovecot_auth_t self:capability net_bind_service;
allow dovecot_auth_t selinux_config_t:dir search;
allow dovecot_auth_t selinux_config_t:file read;
allow dovecot_auth_t system_chkpwd_t:process { siginh rlimitinh noatsecure };


Thank you! I wonder though if all these rules are relevant.
Comment 8 Daniel Walsh 2007-10-08 17:34:29 UTC 
I think the ones you need are 

allow dovecot_auth_t self:capability net_bind_service;
allow dovecot_auth_t dhcpd_port_t:udp_socket name_bind;
allow dovecot_auth_t hi_reserved_port_t:udp_socket name_bind;

I believe in order to check the password, the nis calls require you to be bound
to a port  < 1024.  And currently we are forcing all nis to be bound > 1024.
Comment 9 Leonid Zeitlin 2007-10-09 09:24:53 UTC 
You are right, these rules are sufficient. Thank you.

Will these rules be added to Fedora?
Comment 10 Daniel Walsh 2007-10-09 14:37:19 UTC 
Yes 
selinux-policy-2.6.4-48.fc7 will have this fix.

selinux-policy-3.0.8-19.fc8 will also have it.
Comment 11 Leonid Zeitlin 2007-10-12 10:36:03 UTC 
It has transpired that a new rule is needed:

allow dovecot_auth_t ipp_port_t:udp_socket name_bind;

Is there a way to allow all reserved ports in one shot?
Comment 12 Daniel Walsh 2007-10-12 13:31:47 UTC 
Yes 

I believe you need all ports between 600-1024.

corenet_udb_bind_app_rpc_ports()
corenet_tcb_bind_app_rpc_ports()

I have added this interface

interface(`nis_authenticate',`
	tunable_policy(`allow_ypbind',`
		nis_use_ypbind_uncond($1)
		# Needs to bind to a port < 1024
		allow $1 self:capability net_bind_service;
		corenet_tcp_bind_all_rpc_ports($1)
		corenet_udp_bind_all_rpc_ports($1)
	')
')

Please upgrade to selinux-policy-2.6.4-48.fc7  and try this out.
Comment 13 Leonid Zeitlin 2007-10-15 13:15:21 UTC 
Upgraded to selinux-policy-2.6.4-48.fc7. First it worked well, but after the 
system rebooted, I suddenly see a lot of denials. Audit2allow output:

#============= dovecot_auth_t ==============
allow dovecot_auth_t dhcpd_port_t:tcp_socket name_bind;
allow dovecot_auth_t hi_reserved_port_t:tcp_socket name_bind;
allow dovecot_auth_t hi_reserved_port_t:udp_socket { name_bind send_msg 
recv_msg };
allow dovecot_auth_t ipp_port_t:tcp_socket name_bind;
allow dovecot_auth_t ldap_port_t:tcp_socket name_bind;
allow dovecot_auth_t pop_port_t:tcp_socket name_bind;
allow dovecot_auth_t portmap_port_t:tcp_socket name_connect;
allow dovecot_auth_t self:capability net_bind_service;
allow dovecot_auth_t var_yp_t:dir search;
allow dovecot_auth_t var_yp_t:file read;

In fact, there's a lot more, not related to dovecot_auth:

#============= dovecot_t ==============
allow dovecot_t hi_reserved_port_t:tcp_socket name_bind;
allow dovecot_t hi_reserved_port_t:udp_socket name_bind;
allow dovecot_t var_yp_t:dir search;
allow dovecot_t var_yp_t:file read;

#============= rpcd_t ==============
allow rpcd_t var_yp_t:dir search;
allow rpcd_t var_yp_t:file read;

#============= smbd_t ==============
allow smbd_t binfmt_misc_fs_t:dir getattr;
allow smbd_t hi_reserved_port_t:tcp_socket name_bind;
allow smbd_t hi_reserved_port_t:udp_socket name_bind;
allow smbd_t nfs_t:fifo_file getattr;
allow smbd_t nfs_t:lnk_file read;
allow smbd_t portmap_port_t:tcp_socket name_connect;
allow smbd_t rsync_port_t:tcp_socket name_bind;
allow smbd_t var_yp_t:dir search;
allow smbd_t var_yp_t:file read;

#============= system_dbusd_t ==============
allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
allow system_dbusd_t inaddr_any_node_t:tcp_socket node_bind;
allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
allow system_dbusd_t var_yp_t:dir search;
Comment 14 Daniel Walsh 2007-10-15 18:11:07 UTC 
These look like allow_ypbind is not on.

setsebool -P allow_ypbind=1
Comment 15 Leonid Zeitlin 2007-10-16 14:50:24 UTC 
Apologies for the confusion. Indeed, allow_ypbind was off. Strange,  I though 
ypbind initscript turns it on. After turning it on, everything works well. 
Thank you.
Comment 16 Leonid Zeitlin 2007-12-10 14:54:21 UTC 
I think this issue can be closed