Description of problem: When trying to log into my Cyrus imapd (which uses saslauthd, which in turn checks credentials with PAM), I get an authentication error with SELinux enabled/enforcing. When running permissive, all works as expected. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-8.fc7 cyrus-sasl-2.1.22-6 How reproducible: Easy Steps to Reproduce: 1. With saslauthd running (configured to use PAM, as is the default) and SELinux enabled/enforcing, use testsaslauthd to check one of the local unix accounts: nils@wombat:~> testsaslauthd -u nils -p <my password> Alternatively, try to log into a service that uses saslauthd for authentication Actual results: 0: NO "authentication failed" Expected results: No error Additional info: This is the AVC denial alert I got from setroubleshoot: Source Context: user_u:system_r:saslauthd_t Target Context: user_u:system_r:saslauthd_t Target Objects: None [ netlink_audit_socket ] Affected RPM Packages: cyrus-sasl-2.1.22-6 [application] Policy RPM: selinux-policy-2.6.4-8.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall Host Name: wombat Platform: Linux wombat 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:47:07 EDT 2007 x86_64 x86_64 Alert Count: 4 First Seen: Sat 26 May 2007 03:55:38 PM CEST Last Seen: Sat 26 May 2007 04:05:56 PM CEST Local ID: 7961a9bf-5215-461d-8877-12857f6f3e92 Line Numbers: Raw Audit Messages : avc: denied { create } for comm="saslauthd" egid=0 euid=0 exe="/usr/sbin/saslauthd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20133 scontext=user_u:system_r:saslauthd_t:s0 sgid=0 subj=user_u:system_r:saslauthd_t:s0 suid=0 tclass=netlink_audit_socket tcontext=user_u:system_r:saslauthd_t:s0 tty=(none) uid=0
Got these 2 additional denials as well, but this was already when running permissive: #1: Summary SELinux is preventing /usr/sbin/saslauthd (saslauthd_t) "audit_write" to <Unknown> (saslauthd_t). Detailed Description SELinux denied access requested by /usr/sbin/saslauthd. It is not expected that this access is required by /usr/sbin/saslauthd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:saslauthd_t Target Context user_u:system_r:saslauthd_t Target Objects None [ capability ] Affected RPM Packages cyrus-sasl-2.1.22-6 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name wombat Platform Linux wombat 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:47:07 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Sat 26 May 2007 11:08:36 PM CEST Last Seen Sat 26 May 2007 11:08:36 PM CEST Local ID 6932edc5-fe2b-4342-b5ea-5d895566d060 Line Numbers Raw Audit Messages avc: denied { audit_write } for comm="saslauthd" egid=0 euid=0 exe="/usr/sbin/saslauthd" exit=120 fsgid=0 fsuid=0 gid=0 items=0 pid=16318 scontext=user_u:system_r:saslauthd_t:s0 sgid=0 subj=user_u:system_r:saslauthd_t:s0 suid=0 tclass=capability tcontext=user_u:system_r:saslauthd_t:s0 tty=(none) uid=0 and #2: Summary SELinux is preventing /usr/sbin/saslauthd (saslauthd_t) "read" to <Unknown> (saslauthd_t). Detailed Description SELinux denied access requested by /usr/sbin/saslauthd. It is not expected that this access is required by /usr/sbin/saslauthd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:saslauthd_t Target Context user_u:system_r:saslauthd_t Target Objects None [ netlink_audit_socket ] Affected RPM Packages cyrus-sasl-2.1.22-6 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name wombat Platform Linux wombat 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:47:07 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Sat 26 May 2007 11:08:36 PM CEST Last Seen Sat 26 May 2007 11:08:36 PM CEST Local ID a85ce800-c9b7-40d6-9f10-9b405ad61fc1 Line Numbers Raw Audit Messages avc: denied { read } for comm="saslauthd" egid=0 euid=0 exe="/usr/sbin/saslauthd" exit=36 fsgid=0 fsuid=0 gid=0 items=0 pid=16318 scontext=user_u:system_r:saslauthd_t:s0 sgid=0 subj=user_u:system_r:saslauthd_t:s0 suid=0 tclass=netlink_audit_socket tcontext=user_u:system_r:saslauthd_t:s0 tty=(none) uid=0
And another one: Summary SELinux is preventing /usr/sbin/saslauthd (saslauthd_t) "nlmsg_relay" to <Unknown> (saslauthd_t). Detailed Description SELinux denied access requested by /usr/sbin/saslauthd. It is not expected that this access is required by /usr/sbin/saslauthd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:saslauthd_t Target Context user_u:system_r:saslauthd_t Target Objects None [ netlink_audit_socket ] Affected RPM Packages cyrus-sasl-2.1.22-6 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name wombat Platform Linux wombat 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:47:07 EDT 2007 x86_64 x86_64 Alert Count 7 First Seen Sun 27 May 2007 06:12:09 PM CEST Last Seen Sun 27 May 2007 08:12:09 PM CEST Local ID 6c127942-8b52-4e2d-b3cc-ae6cf0baecbb Line Numbers Raw Audit Messages avc: denied { nlmsg_relay } for comm="saslauthd" egid=0 euid=0 exe="/usr/sbin/saslauthd" exit=120 fsgid=0 fsuid=0 gid=0 items=0 pid=16321 scontext=user_u:system_r:saslauthd_t:s0 sgid=0 subj=user_u:system_r:saslauthd_t:s0 suid=0 tclass=netlink_audit_socket tcontext=user_u:system_r:saslauthd_t:s0 tty=(none) uid=0
*** This bug has been marked as a duplicate of 241432 ***