Red Hat Bugzilla – Bug 240883
selinux denies dovecot access ("invalid password")
Last modified: 2007-11-30 17:12:05 EST
Description of problem: Hello, On my machine that runs Fedora 6.93 I get e-mail messages with fetchmail, then deliver them to the local (system) user. Then I connect via IMAP from Thunderbird or other e-mail clients to the local mailbox. Since I've upgraded from Fedora Core 6 to Fedora 6.93 I get an "invalid password" message in Thunderbird and these selinux denials: type=AVC msg=audit(1179849304.567:351): avc: denied { create } for pid=4883 comm="dovecot-auth" scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=user_u:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1179849304.567:351): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfafb9a0 a2=7aefff4 a3=0 items=0 ppid=3574 pid=4883 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=user_u:system_r:dovecot_auth_t:s0 key=(null) As a result, I can't get my messages. Disabling selinux with setenforce 0 corrects the problem. Regards, Răzvan Version-Release number of selected component (if applicable): dovecot-1.0.0-11.fc7 selinux-policy-targeted-2.6.4-6.fc7 thunderbird-2.0.0.0-1.fc7 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: User gets an "invalid password" message and it is denied acces. Expected results: User must be able to authenticate in dovecot. Additional info:
Fixed in selinux-policy-2.6.4-9
Hello, This reappeared today (June 19, 2007), on the final F7, after the most recent upgrades. :-(( This is the report by setroubleshoot: Summary SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t) "execute" to unix_update (updpwd_exec_t). Detailed Description SELinux denied access requested by /usr/libexec/dovecot/dovecot-auth. It is not expected that this access is required by /usr/libexec/dovecot/dovecot- auth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for unix_update, restorecon -v unix_update If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:dovecot_auth_t Target Context system_u:object_r:updpwd_exec_t Target Objects unix_update [ file ] Affected RPM Packages dovecot-1.0.0-11.fc7 [application] Policy RPM selinux-policy-2.6.4-14.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name richelieu.mobexpert.ro Platform Linux richelieu.mobexpert.ro 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 Alert Count 12 First Seen Ma 19 iun 2007 08:25:49 +0000 Last Seen Ma 19 iun 2007 12:07:58 +0000 Local ID 4ef95f89-457e-45b8-b231-3707dcbbc8ae Line Numbers Raw Audit Messages avc: denied { execute } for comm="dovecot-auth" dev=sda3 egid=0 euid=0 exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="unix_update" pid=4740 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0 subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=file tcontext=system_u:object_r:updpwd_exec_t:s0 tty=(none) uid=0 Doing a /touch /.autorelabel; reboot doesn't help. I've put selinux in permissive mode for the moment. Are we supposed to file such type of bugs any time a new update is available for the policy of fotr some program ? :-( Regards, Răzvan
Fixed in selinux-policy-2.6.4-17