Red Hat Bugzilla – Bug 320461
SELinux prevents Dovecot from authenticating NIS users
Last modified: 2007-12-10 16:05:51 EST
Description of problem: Dovecot is running in the machine with SELinux enabled. The machine is set up as a NIS client. Users are authenticated against a remote NIS server. Users are able to log in via ssh, which indicates that NIS is working. User's home directories are mounted via NFS from a remote server (maybe this is not relevant). Under these circumstances Dovecot rejects valid user name and passord: # telnet myhost pop-3 Trying 192.168.1.1... Connected to myhost. Escape character is '^]'. +OK Dovecot ready. user lz +OK pass xxxxx -ERR Authentication failed. Strangely, audit log does not report any AVC denials. All it has is the following: type=USER_AUTH msg=audit(1191602825.914:385610): user pid=2751 uid=0 auid=0 subj =root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=lz : exe="/usr/li bexec/dovecot/dovecot-auth" (hostname=192.168.1.1, addr=192.168.1.1, terminal= dovecot res=failed)' Secure log has the following: unix_chkpwd[2752]: check pass; user unknown unix_chkpwd[2752]: password check failed for user (lz) dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=192.168.1.1 user=lz Note a stange thing: unix_chkpwd is a PAM helper utility that verifies the pasword in local shadow file. It is not supposed to be called, as user information should come from NIS. When SELinux is disabled, the same user can log in successfully. A user that is entered to the local /etc/passwd and /etc/shadow files is able to log in even when SELinux is enabled. So this seems to be something between SELinux and NIS. Version-Release number of selected component (if applicable): selinux-policy-2.6.4-46.fc7 dovecot-1.0.3-14.fc7 ypbind-1.19-9.fc7 yp-tools-2.9-0.1 How reproducible: Always Steps to Reproduce: 1. Setup a computer as NIS client 2. Start Dovecot 3. Enable SELinux 4. Try logging in to Dovecot via POP-3 Actual results: Login is denied Expected results: Login is allowed Additional info:
Is the allow_ypbind boolean turned on? getsebool -a | grep allow_ypbind setsebool -P allow_ypbind 1
allow_ypbind is on: # getsebool allow_ypbind allow_ypbind --> on
When you say you run it with selinux disabled are you talking about permissive mode, or totally disabled? Have you tried it in permissive mode, Does it work? Does it generate avcs? Could you try to enable audit messages and see if that gives us a clue. semodule -b /usr/share/selinux/targeted/enableaudit.pp Run your test See if this genrates avc's. semodule -b /usr/share/selinux/targeted/base.pp will put the dontaudit rules back.
Sorry for not being clear. By "SELinux disabled" I really meant permissive mode. It didn't work and generated no AVC messages. When I followed your suggestion to enable audit messages, I got messages in the audit log that I am attaching. Hope they will shed some light.
Created attachment 218461 [details] Messages in audit log Messages is audit log when logging it to dovecot
Ok can you try to add those rules to policy and see if the app works in enforcing mode. # grep dovecot_auth /var/log/audit/audit.log | grep -v shadow | audit2allow -M mydovecot # semodule -i mydovecot.pp
It worked! Here's the content of mydovecot.te: module mydovecot 1.0; require { type system_chkpwd_t; type selinux_config_t; type security_t; type dovecot_auth_t; type dhcpd_port_t; type hi_reserved_port_t; class process { siginh noatsecure rlimitinh }; class capability net_bind_service; class file read; class filesystem getattr; class udp_socket name_bind; class dir search; } #============= dovecot_auth_t ============== allow dovecot_auth_t dhcpd_port_t:udp_socket name_bind; allow dovecot_auth_t hi_reserved_port_t:udp_socket name_bind; allow dovecot_auth_t security_t:dir search; allow dovecot_auth_t security_t:file read; allow dovecot_auth_t security_t:filesystem getattr; allow dovecot_auth_t self:capability net_bind_service; allow dovecot_auth_t selinux_config_t:dir search; allow dovecot_auth_t selinux_config_t:file read; allow dovecot_auth_t system_chkpwd_t:process { siginh rlimitinh noatsecure }; Thank you! I wonder though if all these rules are relevant.
I think the ones you need are allow dovecot_auth_t self:capability net_bind_service; allow dovecot_auth_t dhcpd_port_t:udp_socket name_bind; allow dovecot_auth_t hi_reserved_port_t:udp_socket name_bind; I believe in order to check the password, the nis calls require you to be bound to a port < 1024. And currently we are forcing all nis to be bound > 1024.
You are right, these rules are sufficient. Thank you. Will these rules be added to Fedora?
Yes selinux-policy-2.6.4-48.fc7 will have this fix. selinux-policy-3.0.8-19.fc8 will also have it.
It has transpired that a new rule is needed: allow dovecot_auth_t ipp_port_t:udp_socket name_bind; Is there a way to allow all reserved ports in one shot?
Yes I believe you need all ports between 600-1024. corenet_udb_bind_app_rpc_ports() corenet_tcb_bind_app_rpc_ports() I have added this interface interface(`nis_authenticate',` tunable_policy(`allow_ypbind',` nis_use_ypbind_uncond($1) # Needs to bind to a port < 1024 allow $1 self:capability net_bind_service; corenet_tcp_bind_all_rpc_ports($1) corenet_udp_bind_all_rpc_ports($1) ') ') Please upgrade to selinux-policy-2.6.4-48.fc7 and try this out.
Upgraded to selinux-policy-2.6.4-48.fc7. First it worked well, but after the system rebooted, I suddenly see a lot of denials. Audit2allow output: #============= dovecot_auth_t ============== allow dovecot_auth_t dhcpd_port_t:tcp_socket name_bind; allow dovecot_auth_t hi_reserved_port_t:tcp_socket name_bind; allow dovecot_auth_t hi_reserved_port_t:udp_socket { name_bind send_msg recv_msg }; allow dovecot_auth_t ipp_port_t:tcp_socket name_bind; allow dovecot_auth_t ldap_port_t:tcp_socket name_bind; allow dovecot_auth_t pop_port_t:tcp_socket name_bind; allow dovecot_auth_t portmap_port_t:tcp_socket name_connect; allow dovecot_auth_t self:capability net_bind_service; allow dovecot_auth_t var_yp_t:dir search; allow dovecot_auth_t var_yp_t:file read; In fact, there's a lot more, not related to dovecot_auth: #============= dovecot_t ============== allow dovecot_t hi_reserved_port_t:tcp_socket name_bind; allow dovecot_t hi_reserved_port_t:udp_socket name_bind; allow dovecot_t var_yp_t:dir search; allow dovecot_t var_yp_t:file read; #============= rpcd_t ============== allow rpcd_t var_yp_t:dir search; allow rpcd_t var_yp_t:file read; #============= smbd_t ============== allow smbd_t binfmt_misc_fs_t:dir getattr; allow smbd_t hi_reserved_port_t:tcp_socket name_bind; allow smbd_t hi_reserved_port_t:udp_socket name_bind; allow smbd_t nfs_t:fifo_file getattr; allow smbd_t nfs_t:lnk_file read; allow smbd_t portmap_port_t:tcp_socket name_connect; allow smbd_t rsync_port_t:tcp_socket name_bind; allow smbd_t var_yp_t:dir search; allow smbd_t var_yp_t:file read; #============= system_dbusd_t ============== allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; allow system_dbusd_t inaddr_any_node_t:tcp_socket node_bind; allow system_dbusd_t portmap_port_t:tcp_socket name_connect; allow system_dbusd_t var_yp_t:dir search;
These look like allow_ypbind is not on. setsebool -P allow_ypbind=1
Apologies for the confusion. Indeed, allow_ypbind was off. Strange, I though ypbind initscript turns it on. After turning it on, everything works well. Thank you.
I think this issue can be closed