| Summary: | dovecot-auth is prevented from creating Kerberos cache files | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Ben Webb <ben> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Michal Trunecka <mtruneck> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.7 | CC: | dwalsh, ebenes, mmalik, mtruneck |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-09-26 09:01:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Could you attach raw AVC message? I don't understand - isn't the excerpt I attached in the original report from /var/log/messages the raw AVC? (I don't run auditd on this machine.) If not, what do you need? Ah, I apologize, I missed it. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Hi Ben, we have just reproduced the steps you described and it worked without AVCs. Could you retest your scenario with the latest policy available at following URL? http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ (In reply to comment #9) > Could you retest your scenario with the latest policy Sorry, I updated this machine to RHEL 6 long ago, which doesn't seem to have this problem. |
Description of problem: Whenever I connect to our IMAPS server (RHEL 5.7 x86_64 system) from a Fedora 16 client using Kerberos auth, the server logs an avc similar to the following: Feb 7 11:02:26 guitar kernel: type=1400 audit(1328641346.769:495): avc: denied { create } for pid=16719 comm="dovecot-auth" name="krb5_RC16719aaa" scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file (The IMAP connection succeeds however because this server is currently running SELinux in permissive mode, for unrelated reasons.) Version-Release number of selected component (if applicable): dovecot-1.0.7-7.el5_7.1 selinux-policy-targeted-2.4.6-316.el5 How reproducible: Always. Steps to Reproduce: 1. Install dovecot on the server, and an IMAP client. 2. Add both machines to the same Kerberos realm. 3. Check mail via IMAP. Actual results: The avc shown above is logged on the server. Expected results: No avc. Additional info: As a workaround, I used audit2allow to make the following custom policy module: module local 1.0; require { type dovecot_auth_t; type krb5_host_rcache_t; class file create; } #============= dovecot_auth_t ============== allow dovecot_auth_t krb5_host_rcache_t:file create; and then loaded it with checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -i local.pp But for some reason the avcs continue. Is there some reason why this wouldn't work? I have other custom policy on this machine which works just fine (so I'm pretty sure I'm building and loading the module successfully ;)