Bug 373341 - SELinux prevents saslauthd from authenticating NIS users
SELinux prevents saslauthd from authenticating NIS users
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-09 13:15 EST by Leonid Zeitlin
Modified: 2007-12-10 15:55 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-10 15:55:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Leonid Zeitlin 2007-11-09 13:15:45 EST
Description of problem:
Sendmail is configured to allow SMTP AUTH. SMTP authentication is handled by 
saslauthd. The system is configured to use NIS for authentication. When SMTP 
authentication is attempted and valid credentials are supplied, authentication 
fails. AVC denials for saslauthd are logged (only if all audit messages are 
enabled with enableaudit.pp). 

The following SELinux policy rules were found to resolve the situation:

allow saslauthd_t reserved_port_type:udp_socket name_bind;
allow saslauthd_t self:capability net_bind_service;

The issue is similar to issue #320461.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Enable SMTP AUTH in sendmail.cf
2. Start saslauthd
3. Configure email client to authenticate to SMTP server
4. Attempt to send email. 
Actual results:
Valid user credentials are rejected

Expected results:
Valid user credentials are accepted

Additional info:
Comment 1 Daniel Walsh 2007-11-10 07:55:35 EST
Fixed in selinux-policy-2.6.4-56.fc8
Comment 2 Leonid Zeitlin 2007-12-10 09:57:29 EST
Sorry for delay in testing. I am now running selinux-policy-2.6.4-59.fc7. The 
issue is fixed.

Note You need to log in before you can comment on or make changes to this bug.