Bug 320461
Summary: | SELinux prevents Dovecot from authenticating NIS users | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Leonid Zeitlin <lz> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7 | CC: | nalin, tmraz | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Current\ | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-12-10 21:05:51 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Leonid Zeitlin
2007-10-05 16:57:12 UTC
Is the allow_ypbind boolean turned on? getsebool -a | grep allow_ypbind setsebool -P allow_ypbind 1 allow_ypbind is on: # getsebool allow_ypbind allow_ypbind --> on When you say you run it with selinux disabled are you talking about permissive mode, or totally disabled? Have you tried it in permissive mode, Does it work? Does it generate avcs? Could you try to enable audit messages and see if that gives us a clue. semodule -b /usr/share/selinux/targeted/enableaudit.pp Run your test See if this genrates avc's. semodule -b /usr/share/selinux/targeted/base.pp will put the dontaudit rules back. Sorry for not being clear. By "SELinux disabled" I really meant permissive mode. It didn't work and generated no AVC messages. When I followed your suggestion to enable audit messages, I got messages in the audit log that I am attaching. Hope they will shed some light. Created attachment 218461 [details]
Messages in audit log
Messages is audit log when logging it to dovecot
Ok can you try to add those rules to policy and see if the app works in enforcing mode. # grep dovecot_auth /var/log/audit/audit.log | grep -v shadow | audit2allow -M mydovecot # semodule -i mydovecot.pp It worked! Here's the content of mydovecot.te: module mydovecot 1.0; require { type system_chkpwd_t; type selinux_config_t; type security_t; type dovecot_auth_t; type dhcpd_port_t; type hi_reserved_port_t; class process { siginh noatsecure rlimitinh }; class capability net_bind_service; class file read; class filesystem getattr; class udp_socket name_bind; class dir search; } #============= dovecot_auth_t ============== allow dovecot_auth_t dhcpd_port_t:udp_socket name_bind; allow dovecot_auth_t hi_reserved_port_t:udp_socket name_bind; allow dovecot_auth_t security_t:dir search; allow dovecot_auth_t security_t:file read; allow dovecot_auth_t security_t:filesystem getattr; allow dovecot_auth_t self:capability net_bind_service; allow dovecot_auth_t selinux_config_t:dir search; allow dovecot_auth_t selinux_config_t:file read; allow dovecot_auth_t system_chkpwd_t:process { siginh rlimitinh noatsecure }; Thank you! I wonder though if all these rules are relevant. I think the ones you need are allow dovecot_auth_t self:capability net_bind_service; allow dovecot_auth_t dhcpd_port_t:udp_socket name_bind; allow dovecot_auth_t hi_reserved_port_t:udp_socket name_bind; I believe in order to check the password, the nis calls require you to be bound to a port < 1024. And currently we are forcing all nis to be bound > 1024. You are right, these rules are sufficient. Thank you. Will these rules be added to Fedora? Yes selinux-policy-2.6.4-48.fc7 will have this fix. selinux-policy-3.0.8-19.fc8 will also have it. It has transpired that a new rule is needed: allow dovecot_auth_t ipp_port_t:udp_socket name_bind; Is there a way to allow all reserved ports in one shot? Yes I believe you need all ports between 600-1024. corenet_udb_bind_app_rpc_ports() corenet_tcb_bind_app_rpc_ports() I have added this interface interface(`nis_authenticate',` tunable_policy(`allow_ypbind',` nis_use_ypbind_uncond($1) # Needs to bind to a port < 1024 allow $1 self:capability net_bind_service; corenet_tcp_bind_all_rpc_ports($1) corenet_udp_bind_all_rpc_ports($1) ') ') Please upgrade to selinux-policy-2.6.4-48.fc7 and try this out. Upgraded to selinux-policy-2.6.4-48.fc7. First it worked well, but after the system rebooted, I suddenly see a lot of denials. Audit2allow output: #============= dovecot_auth_t ============== allow dovecot_auth_t dhcpd_port_t:tcp_socket name_bind; allow dovecot_auth_t hi_reserved_port_t:tcp_socket name_bind; allow dovecot_auth_t hi_reserved_port_t:udp_socket { name_bind send_msg recv_msg }; allow dovecot_auth_t ipp_port_t:tcp_socket name_bind; allow dovecot_auth_t ldap_port_t:tcp_socket name_bind; allow dovecot_auth_t pop_port_t:tcp_socket name_bind; allow dovecot_auth_t portmap_port_t:tcp_socket name_connect; allow dovecot_auth_t self:capability net_bind_service; allow dovecot_auth_t var_yp_t:dir search; allow dovecot_auth_t var_yp_t:file read; In fact, there's a lot more, not related to dovecot_auth: #============= dovecot_t ============== allow dovecot_t hi_reserved_port_t:tcp_socket name_bind; allow dovecot_t hi_reserved_port_t:udp_socket name_bind; allow dovecot_t var_yp_t:dir search; allow dovecot_t var_yp_t:file read; #============= rpcd_t ============== allow rpcd_t var_yp_t:dir search; allow rpcd_t var_yp_t:file read; #============= smbd_t ============== allow smbd_t binfmt_misc_fs_t:dir getattr; allow smbd_t hi_reserved_port_t:tcp_socket name_bind; allow smbd_t hi_reserved_port_t:udp_socket name_bind; allow smbd_t nfs_t:fifo_file getattr; allow smbd_t nfs_t:lnk_file read; allow smbd_t portmap_port_t:tcp_socket name_connect; allow smbd_t rsync_port_t:tcp_socket name_bind; allow smbd_t var_yp_t:dir search; allow smbd_t var_yp_t:file read; #============= system_dbusd_t ============== allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; allow system_dbusd_t inaddr_any_node_t:tcp_socket node_bind; allow system_dbusd_t portmap_port_t:tcp_socket name_connect; allow system_dbusd_t var_yp_t:dir search; These look like allow_ypbind is not on. setsebool -P allow_ypbind=1 Apologies for the confusion. Indeed, allow_ypbind was off. Strange, I though ypbind initscript turns it on. After turning it on, everything works well. Thank you. I think this issue can be closed |