Bug 240883 - selinux denies dovecot access ("invalid password")
selinux denies dovecot access ("invalid password")
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-22 12:13 EDT by Răzvan Sandu
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: 2.4.6-17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-17 18:12:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Răzvan Sandu 2007-05-22 12:13:35 EDT
Description of problem:

Hello,

On my machine that runs Fedora 6.93 I get e-mail messages with fetchmail, then
deliver them to the local (system) user. Then I connect via IMAP from
Thunderbird or other e-mail clients to the local mailbox.

Since I've upgraded from Fedora Core 6 to Fedora 6.93 I get an "invalid
password" message in Thunderbird and these selinux denials:


type=AVC msg=audit(1179849304.567:351): avc:  denied  { create } for  pid=4883
comm="dovecot-auth" scontext=user_u:system_r:dovecot_auth_t:s0
tcontext=user_u:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1179849304.567:351): arch=40000003 syscall=102 success=no
exit=-13 a0=1 a1=bfafb9a0 a2=7aefff4 a3=0 items=0 ppid=3574 pid=4883 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth"
subj=user_u:system_r:dovecot_auth_t:s0 key=(null)

As a result, I can't get my messages.

Disabling selinux with setenforce 0 corrects the problem.

Regards,
Răzvan


Version-Release number of selected component (if applicable):
dovecot-1.0.0-11.fc7
selinux-policy-targeted-2.6.4-6.fc7
thunderbird-2.0.0.0-1.fc7


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
User gets an "invalid password" message and it is denied acces.

Expected results:
User must be able to authenticate in dovecot.


Additional info:
Comment 1 Daniel Walsh 2007-05-22 14:44:52 EDT
Fixed in selinux-policy-2.6.4-9
Comment 2 Răzvan Sandu 2007-06-19 05:29:47 EDT
Hello,

This reappeared today (June 19, 2007), on the final F7, after the most recent
upgrades.  :-((   This is the report by setroubleshoot:


Summary
    SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t)
    "execute" to unix_update (updpwd_exec_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/dovecot/dovecot-auth. It is
    not expected that this access is required by /usr/libexec/dovecot/dovecot-
    auth and this access may signal an intrusion attempt. It is also possible
    that the specific version or configuration of the application is causing it
    to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for unix_update, restorecon -v
    unix_update If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:dovecot_auth_t
Target Context                system_u:object_r:updpwd_exec_t
Target Objects                unix_update [ file ]
Affected RPM Packages         dovecot-1.0.0-11.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-14.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     richelieu.mobexpert.ro
Platform                      Linux richelieu.mobexpert.ro 2.6.21-1.3228.fc7 #1
                              SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   12
First Seen                    Ma 19 iun 2007 08:25:49 +0000
Last Seen                     Ma 19 iun 2007 12:07:58 +0000
Local ID                      4ef95f89-457e-45b8-b231-3707dcbbc8ae
Line Numbers                  

Raw Audit Messages            

avc: denied { execute } for comm="dovecot-auth" dev=sda3 egid=0 euid=0
exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="unix_update" pid=4740 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0
subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:updpwd_exec_t:s0 tty=(none) uid=0


Doing a /touch /.autorelabel; reboot doesn't help. I've put selinux in
permissive mode for the moment.

Are we supposed to file such type of bugs any time a new update is available for
the policy of fotr some program ?
:-(


Regards,
Răzvan
Comment 3 Daniel Walsh 2007-06-19 08:23:17 EDT
Fixed in selinux-policy-2.6.4-17

Note You need to log in before you can comment on or make changes to this bug.