Bug 244859 - SELinux prevents dovecot from logging in a user.
Summary: SELinux prevents dovecot from logging in a user.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-19 14:50 UTC by Tom Martin
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-26 10:07:09 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tom Martin 2007-06-19 14:50:59 UTC 
Description of problem:

SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t) "read"
to /sbin/unix_update (updpwd_exec_t).

Version-Release number of selected component (if applicable):

selinux-policy-2.6.4-14.fc7
libselinux-2.0.13-1.fc7
selinux-policy-targeted-2.6.4-14.fc7
libselinux-devel-2.0.13-1.fc7
libselinux-python-2.0.13-1.fc7

dovecot-1.0.0-11.fc7




How reproducible:

Setting SELinux to enforcing causes dovecot to not allow logins.  Setting
SELinux to permissive allows logins.

This started after upgrading on June 18.  The previous version of SELinux policy
was selinux-policy.noarch 2.6.4-13.fc7.




Additional info:

I've used audit2allow to create policies that should correct this, but without
success.  With the modules in place, I still get messages such as this:

type=USER_AUTH msg=audit(1182262859.537:329): user pid=8856 uid=0 auid=500 subj=
user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tlmartin : exe="
/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0
.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1182262859.537:330): user pid=8856 uid=0 auid=500 subj=
user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tlmartin : exe="/usr
/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1
, terminal=dovecot res=failed)'
Comment 1 Daniel Walsh 2007-06-19 14:59:34 UTC 
Fixed in selinux-policy-2.6.4-17
Comment 2 Stephen Sentoff 2007-06-22 02:18:14 UTC 
I'm on 
dovecot-1.0.0-11.fc7
selinux-policy-2.6.4-14.fc7
selinux-policy-targeted-2.6.4-14.fc7

and I've got a very similar problem:
SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t)
"execute" to unix_update (updpwd_exec_t)

Will 2.6.4-17 fix this as well?  Thanks.
Comment 3 Daniel Walsh 2007-06-22 13:44:56 UTC 
21 will and it was just released.
Comment 4 Daniel Rowe 2007-06-25 12:47:05 UTC 
Hi

I am getting the same:

type=USER_AUTH msg=audit(1182775569.327:10269): user pid=6361 uid=0 auid=500
subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=bart :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1,
addr=::ffff:127.0.0.1, terminal=dovecot res=failed)'

selinux-policy-2.6.4-14.fc7
selinux-policy-targeted-2.6.4-14.fc7
Comment 5 Stephen Sentoff 2007-06-26 00:45:51 UTC 
I've loaded selinux-policy-targeted-2.6.4-21.fc7 from testing and can confirm
this fixes the problem. Thanks.
Note You need to log in before you can comment on or make changes to this bug.