Bug 244859 - SELinux prevents dovecot from logging in a user.
SELinux prevents dovecot from logging in a user.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-19 10:50 EDT by Tom Martin
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-26 06:07:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom Martin 2007-06-19 10:50:59 EDT
Description of problem:

SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t) "read"
to /sbin/unix_update (updpwd_exec_t).

Version-Release number of selected component (if applicable):

selinux-policy-2.6.4-14.fc7
libselinux-2.0.13-1.fc7
selinux-policy-targeted-2.6.4-14.fc7
libselinux-devel-2.0.13-1.fc7
libselinux-python-2.0.13-1.fc7

dovecot-1.0.0-11.fc7




How reproducible:

Setting SELinux to enforcing causes dovecot to not allow logins.  Setting
SELinux to permissive allows logins.

This started after upgrading on June 18.  The previous version of SELinux policy
was selinux-policy.noarch 2.6.4-13.fc7.




Additional info:

I've used audit2allow to create policies that should correct this, but without
success.  With the modules in place, I still get messages such as this:

type=USER_AUTH msg=audit(1182262859.537:329): user pid=8856 uid=0 auid=500 subj=
user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tlmartin : exe="
/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0
.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1182262859.537:330): user pid=8856 uid=0 auid=500 subj=
user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tlmartin : exe="/usr
/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1
, terminal=dovecot res=failed)'
Comment 1 Daniel Walsh 2007-06-19 10:59:34 EDT
Fixed in selinux-policy-2.6.4-17
Comment 2 Stephen Sentoff 2007-06-21 22:18:14 EDT
I'm on 
dovecot-1.0.0-11.fc7
selinux-policy-2.6.4-14.fc7
selinux-policy-targeted-2.6.4-14.fc7

and I've got a very similar problem:
SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t)
"execute" to unix_update (updpwd_exec_t)

Will 2.6.4-17 fix this as well?  Thanks.
Comment 3 Daniel Walsh 2007-06-22 09:44:56 EDT
21 will and it was just released.
Comment 4 Daniel Rowe 2007-06-25 08:47:05 EDT
Hi

I am getting the same:

type=USER_AUTH msg=audit(1182775569.327:10269): user pid=6361 uid=0 auid=500
subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=bart :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1,
addr=::ffff:127.0.0.1, terminal=dovecot res=failed)'

selinux-policy-2.6.4-14.fc7
selinux-policy-targeted-2.6.4-14.fc7
Comment 5 Stephen Sentoff 2007-06-25 20:45:51 EDT
I've loaded selinux-policy-targeted-2.6.4-21.fc7 from testing and can confirm
this fixes the problem. Thanks.

Note You need to log in before you can comment on or make changes to this bug.