Description of problem: selinux-policy-targeted prevents exim with pam authentication from successful logins for email-send-submission. Even generating a module with audit2allow and loading it into the kernel does not help. I have added the audit.log excerpt and the respective module that was produced by audit2allow. After inserting the module and setenforcing=1, there are no more denials in audit.log but the journal/syslog says: Feb 17 13:57:24 kaiman exim[5300]: pam_unix(exim:auth): authentication failure; logname= uid=93 euid=93 tty= ruser= rhost= user=jim Feb 17 13:57:26 kaiman exim[5300]: PAM audit_log_acct_message() failed: Permission denied Version-Release number of selected component (if applicable): Fedora 19 Name : selinux-policy-targeted Version : 3.12.1 Release : 74.17.fc19 How reproducible: Always with setenforce=1 Expected results: exim should be able to use pam authentication in selinux enforcing mode
audit.log used to build module type=AVC msg=audit(1392641488.368:109329): avc: denied { execute } for pid=5226 comm="exim" name="unix_chkpwd" dev="vda1" ino=19191 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file type=AVC msg=audit(1392641488.368:109329): avc: denied { read open } for pid=5226 comm="exim" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=19191 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file type=AVC msg=audit(1392641488.368:109329): avc: denied { execute_no_trans } for pid=5226 comm="exim" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=19191 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1392641488.368:109329): arch=c000003e syscall=59 success=yes exit=0 a0=7f33fe54ab38 a1=7fff7746c920 a2=7f33fe7513a0 a3=7f34054d1b10 items=0 ppid=5225 pid=5226 auid=4294967295 uid=93 gid=93 euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null) type=AVC msg=audit(1392641488.373:109330): avc: denied { read } for pid=5226 comm="unix_chkpwd" name="shadow" dev="vda1" ino=12577 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1392641488.373:109330): avc: denied { open } for pid=5226 comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=12577 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=SYSCALL msg=audit(1392641488.373:109330): arch=c000003e syscall=2 success=yes exit=3 a0=7f4adbd0643b a1=80000 a2=1b6 a3=0 items=0 ppid=5225 pid=5226 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null) type=AVC msg=audit(1392641488.375:109331): avc: denied { getattr } for pid=5226 comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=12577 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=SYSCALL msg=audit(1392641488.375:109331): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fffc5ae4b40 a2=7fffc5ae4b40 a3=0 items=0 ppid=5225 pid=5226 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null) type=AVC msg=audit(1392641488.413:109332): avc: denied { create } for pid=5227 comm="unix_chkpwd" scontext=system_u:system_r:exim_t:s0 tcontext=system_u:system_r:exim_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1392641488.413:109332): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=3 a2=9 a3=7fff575eda20 items=0 ppid=5225 pid=5227 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null) type=AVC msg=audit(1392641488.415:109333): avc: denied { nlmsg_relay } for pid=5227 comm="unix_chkpwd" scontext=system_u:system_r:exim_t:s0 tcontext=system_u:system_r:exim_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1392641488.415:109333): arch=c000003e syscall=44 success=yes exit=116 a0=3 a1=7fff575e7160 a2=74 a3=0 items=0 ppid=5225 pid=5227 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null)
resulting module: module pam_exim 1.0; require { type shadow_t; type exim_t; type chkpwd_exec_t; class file { getattr read open execute execute_no_trans }; class netlink_audit_socket { nlmsg_relay create }; } #============= exim_t ============== allow exim_t chkpwd_exec_t:file { read execute open execute_no_trans }; allow exim_t self:netlink_audit_socket { nlmsg_relay create }; allow exim_t shadow_t:file { read getattr open };
How does the PAM config look?
here are the contents of /etc/pam.d/exim: #%PAM-1.0 auth required pam_nologin.so auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 auth include password-auth account include password-auth session include password-auth
and the authenticators section from /etc/exim/exim.conf begin authenticators plain: driver = plaintext public_name = PLAIN server_prompts = : server_condition = "${if pam{$2:$3}{1}{0}}" server_set_id = $2 login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if pam{$1:$2}{1}{0}}" server_set_id = $1
commit 66ac4647481fb8326929200863e310a2096468c3 fixes this in git/.
So far this does not seem to be in the current selinux-policy-3.12.1-74.19.fc19 How can I check it out from git? Thanks for any hints!
Hi Martin, This bug will included in next release Back ported to F19 Branch. commit db6193e710ccdfd2a5d34107c0c33b39ebe8ac22 Author: Dan Walsh <dwalsh> Date: Tue Feb 18 10:10:37 2014 -0500 Allow exim to use pam stack to check passwords
Hi Lukas, sounds great, thank you very much!
I updated my server to Fedora 20: same problem which results in the following two alerts. Here are the logs: -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/exim from execute access on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that exim should be allowed execute access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep exim /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:exim_t:s0 Target Context system_u:object_r:chkpwd_exec_t:s0 Target Objects [ file ] Source exim Source Path /usr/sbin/exim Port <Unknown> Host <Unknown> Source RPM Packages exim-4.80.1-6.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name kaiman Platform Linux kaiman 3.13.10-200.fc20.x86_64 #1 SMP Mon Apr 14 20:34:16 UTC 2014 x86_64 x86_64 Alert Count 16 First Seen 2014-04-30 11:01:35 CEST Last Seen 2014-04-30 11:04:42 CEST Local ID 12505edb-8bde-43ea-ab1a-ba8edc23a522 Raw Audit Messages type=AVC msg=audit(1398848682.25:481): avc: denied { execute } for pid=1108 comm="exim" name="unix_chkpwd" dev="vda1" ino=1705432 scontext=system_u:system_r: exim_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1398848682.25:481): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f6c530713ad a1=7fff512e3470 a2=7f6c532783c0 a3=0 items=0 ppid=1 100 pid=1108 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm=exim exe=/usr/sbin/exim subj=system_ u:system_r:exim_t:s0 key=(null) Hash: exim,exim_t,chkpwd_exec_t,file,execute -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/exim from create access on the netlink_audit_socket . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that exim should be allowed create access on the netlink_audit_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep exim /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:exim_t:s0 Target Context system_u:system_r:exim_t:s0 Target Objects [ netlink_audit_socket ] Source exim Source Path /usr/sbin/exim Port <Unknown> Host <Unknown> Source RPM Packages exim-4.80.1-6.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name kaiman Platform Linux kaiman 3.13.10-200.fc20.x86_64 #1 SMP Mon Apr 14 20:34:16 UTC 2014 x86_64 x86_64 Alert Count 11 First Seen 2014-04-30 11:01:38 CEST Last Seen 2014-04-30 11:04:43 CEST Local ID 5a7d3bcf-cf86-4d9b-95f5-bce87ac3d913 Raw Audit Messages type=AVC msg=audit(1398848683.781:483): avc: denied { create } for pid=1100 comm="exim" scontext=system_u:system_r:exim_t:s0 tcontext=system_u:system_r:exim_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1398848683.781:483): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=3 a2=9 a3=4000 items=0 ppid=725 pid=1100 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null)
Lukas can you back port exim policy into F20 and into RHEL7 policy.
commit 6001e69df1b45a90f442c1d0c24bf2f3ecd324fa Author: Lukas Vrabec <lvrabec> Date: Sun May 4 02:44:27 2014 +0200 Backport exim policy from rawhide to F20
selinux-policy-3.12.1-161.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-161.fc20
Package selinux-policy-3.12.1-161.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-161.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-161.fc20 then log in and leave karma (feedback).
This update fixes the bug, also noted as my feedback (karma) in bodhi.
selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.