Bug 251841 - selinux forbids dovecot perform gssapi authentications
Summary: selinux forbids dovecot perform gssapi authentications
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: i386
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-12 09:57 UTC by Tomasz Kepczynski
Modified: 2008-05-21 16:05 UTC (History)
1 user (show)

Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 16:05:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0465 normal SHIPPED_LIVE selinux-policy bug fix update 2008-05-20 14:36:31 UTC

Description Tomasz Kepczynski 2007-08-12 09:57:28 UTC
Description of problem:
As in title really. Thunderbird/pine/fetchamil ask for password
and are unable to authenticate using gssapi.
ausearch -c dovecot-auth reports:

time->Sun Aug 12 11:47:08 2007
type=AVC_PATH msg=audit(1186912028.518:451):  path="/var/tmp/imap_0"
type=SYSCALL msg=audit(1186912028.518:451): arch=40000003 syscall=195 success=no
exit=-13 a0=8e74310 a1=bfe0b4a8 a2=4d6cfff4 a3=8e74310 items=0 ppid=12893
pid=12897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth"
subj=root:system_r:dovecot_auth_t:s0 key=(null)
type=AVC msg=audit(1186912028.518:451): avc:  denied  { getattr } for  pid=12897
comm="dovecot-auth" name="imap_0" dev=dm-5 ino=859457
scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. setup kerberos and gssapi authentication in dovecot
2. authenticate to kerberos
3. try to access imap account using gssapi:
   (ie: fetchmail --auth gssapi -cv -u tomek --ssl triss)
Actual results:
gssapi authentication fails

Expected results:
gssapi authentication succeeds

Additional info:
NOTE: this was found on CENTOS 5 server.
Disabling selinux with setenforce 0 helps
Disabling selinux protection and restarting dovecot
also helps.
This is probably very similar to bug #229916.

Comment 1 Daniel Walsh 2007-08-13 11:16:54 UTC
You can add this rule by using audit2allow,  First put the machine in permissive
mode.  Run fetchmail.   Now execute

grep dovecot /var/log/audit/audit.log | audit2allow -M mydovecot
semodule -i mydovecot.pp

I will add this capability in a future RHEL5 update release.

Fixed in selinux-polciy-2.4.6-83

Comment 2 RHEL Product and Program Management 2007-10-16 03:49:23 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 3 Jay Turner 2007-11-30 07:31:10 UTC
QE ack for RHEL5.2.  Reproducer in comment 0.

Comment 6 errata-xmlrpc 2008-05-21 16:05:27 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.