Bug 474233

Summary: selinux prevents dovecot-auth appending to faillog
Product: Red Hat Enterprise Linux 5 Reporter: Philip Goisman <goisman>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: jeevanullas
Target Milestone: rc   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-07 11:52:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Philip Goisman 2008-12-02 21:41:07 UTC 
Description of problem:

SELinux is preventing dovecot-auth (dovecot_auth_t) "append" to ./faillog
(faillog_t).
SELinux denied access requested by dovecot-auth. It is not expected that this
access is required by dovecot-auth and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.


Version-Release number of selected component (if applicable):
dovecot-1.0.7-2.el5
selinux-policy-2.4.6-137.1.el5_2

How reproducible:
In /etc/pam.d/system-auth-ac, added following lines to detect password fails:

auth        required      pam_tally.so onerr=fail deny=3 even_deny_root_account
account     required      pam_tally.so no_reset

Steps to Reproduce:
1.
2.
3.
  
Actual results:
/var/log/secure gives errors like the following:
dovecot-auth: pam_tally(dovecot:auth): Couldn't create /var/log/faillog

Expected results:
If a user/hacker mistypes a user password, that user's username with the
number of mistypes should be registered in /var/log/faillog.

Additional info:
Initially, I received sealerts with the following subject:

SELinux is preventing dovecot-auth (dovecot_auth_t) "search" to ./log
(var_log_t).

So, I tried adding the following rule:
grep dovecot-auth /var/log/audit/audit.log | audit2allow -M mydovecotauth
semodule -i mydovecotauth.pp

Since that only gave me the next sealert, and I'm not sure what to do in 
selinux, I decided to ask you what should be done.  It's a bug to me.
Comment 1 Deependra Singh Shekhawat 2008-12-03 06:15:27 UTC 
Hmm,

Seems like this policy works:-

policy_module(mydovecot, 1.0)

require {
	type dovecot_auth_t;
	type var_log_t;
	type faillog_t;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t faillog_t:file { read write getattr append };
allow dovecot_auth_t var_log_t:dir search;
Comment 2 Daniel Walsh 2008-12-03 14:12:55 UTC 
Fixed in selinux-policy-2.4.6-198.el5.src.rpm
Comment 3 Philip Goisman 2008-12-03 16:35:27 UTC 
If this is fixed in selinux-policy-2.4.6-198.el5.src.rpm shouldn't el5 
auto updates have updated selinux by now?  I currently have the following:
selinux-policy-strict-2.4.6-137.1.el5_2
selinux-policy-2.4.6-137.1.el5_2
selinux-policy-devel-2.4.6-137.1.el5_2
selinux-policy-targeted-2.4.6-137.1.el5_2
selinux-policy-mls-2.4.6-137.1.el5_2

But on the FC9 systems I just received the following update:
selinux-policy-devel-3.3.1-111.fc9.noarch
selinux-policy-3.3.1-111.fc9.noarch
selinux-policy-targeted-3.3.1-111.fc9.noarch


Regarding Deependra's reply do I just create another pp file like 
mydovecotfix.pp with the code from comment #1, and then run 
semodule -i mydovecotfix.pp?
Comment 4 Philip Goisman 2008-12-03 18:39:06 UTC 
Ok, I'm an idiot.

I found http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
which tells me what to do with Deependra's code.  I'll try that
and let you all know if that works.

Meanwhile, do I need to build selinux-policy from source, or will
the update of elinux-policy-2.4.6-198.el5 automatically occur?
Comment 5 Philip Goisman 2008-12-03 21:36:02 UTC 
Deependra's code gave some errors.  So, I modified it as follows:

module mydovecotauth 1.0;

require {
	type dovecot_auth_t;
	type var_log_t;
	type faillog_t;
	class dir search;
	class file read;
	class file write;
	class file getattr;
	class file append;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t faillog_t:file { read write getattr append };
allow dovecot_auth_t var_log_t:dir search;

This compiled.  So, I loaded it.  And, faillog is updated on a failed
password entry as expected.

Thank you Deependra and http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385.
Comment 6 Daniel Walsh 2008-12-03 22:20:41 UTC 
Hopefully selinux-policy-2.4.6-198.el5 will be in the RHEL5.3 update.