Bug 474233 - selinux prevents dovecot-auth appending to faillog
selinux prevents dovecot-auth appending to faillog
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
i686 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-02 16:41 EST by Philip Goisman
Modified: 2009-02-07 06:52 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-07 06:52:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Philip Goisman 2008-12-02 16:41:07 EST
Description of problem:

SELinux is preventing dovecot-auth (dovecot_auth_t) "append" to ./faillog
(faillog_t).
SELinux denied access requested by dovecot-auth. It is not expected that this
access is required by dovecot-auth and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.


Version-Release number of selected component (if applicable):
dovecot-1.0.7-2.el5
selinux-policy-2.4.6-137.1.el5_2

How reproducible:
In /etc/pam.d/system-auth-ac, added following lines to detect password fails:

auth        required      pam_tally.so onerr=fail deny=3 even_deny_root_account
account     required      pam_tally.so no_reset

Steps to Reproduce:
1.
2.
3.
  
Actual results:
/var/log/secure gives errors like the following:
dovecot-auth: pam_tally(dovecot:auth): Couldn't create /var/log/faillog

Expected results:
If a user/hacker mistypes a user password, that user's username with the
number of mistypes should be registered in /var/log/faillog.

Additional info:
Initially, I received sealerts with the following subject:

SELinux is preventing dovecot-auth (dovecot_auth_t) "search" to ./log
(var_log_t).

So, I tried adding the following rule:
grep dovecot-auth /var/log/audit/audit.log | audit2allow -M mydovecotauth
semodule -i mydovecotauth.pp

Since that only gave me the next sealert, and I'm not sure what to do in 
selinux, I decided to ask you what should be done.  It's a bug to me.
Comment 1 Deependra Singh Shekhawat 2008-12-03 01:15:27 EST
Hmm,

Seems like this policy works:-

policy_module(mydovecot, 1.0)

require {
	type dovecot_auth_t;
	type var_log_t;
	type faillog_t;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t faillog_t:file { read write getattr append };
allow dovecot_auth_t var_log_t:dir search;
Comment 2 Daniel Walsh 2008-12-03 09:12:55 EST
Fixed in selinux-policy-2.4.6-198.el5.src.rpm
Comment 3 Philip Goisman 2008-12-03 11:35:27 EST
If this is fixed in selinux-policy-2.4.6-198.el5.src.rpm shouldn't el5 
auto updates have updated selinux by now?  I currently have the following:
selinux-policy-strict-2.4.6-137.1.el5_2
selinux-policy-2.4.6-137.1.el5_2
selinux-policy-devel-2.4.6-137.1.el5_2
selinux-policy-targeted-2.4.6-137.1.el5_2
selinux-policy-mls-2.4.6-137.1.el5_2

But on the FC9 systems I just received the following update:
selinux-policy-devel-3.3.1-111.fc9.noarch
selinux-policy-3.3.1-111.fc9.noarch
selinux-policy-targeted-3.3.1-111.fc9.noarch


Regarding Deependra's reply do I just create another pp file like 
mydovecotfix.pp with the code from comment #1, and then run 
semodule -i mydovecotfix.pp?
Comment 4 Philip Goisman 2008-12-03 13:39:06 EST
Ok, I'm an idiot.

I found http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
which tells me what to do with Deependra's code.  I'll try that
and let you all know if that works.

Meanwhile, do I need to build selinux-policy from source, or will
the update of elinux-policy-2.4.6-198.el5 automatically occur?
Comment 5 Philip Goisman 2008-12-03 16:36:02 EST
Deependra's code gave some errors.  So, I modified it as follows:

module mydovecotauth 1.0;

require {
	type dovecot_auth_t;
	type var_log_t;
	type faillog_t;
	class dir search;
	class file read;
	class file write;
	class file getattr;
	class file append;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t faillog_t:file { read write getattr append };
allow dovecot_auth_t var_log_t:dir search;

This compiled.  So, I loaded it.  And, faillog is updated on a failed
password entry as expected.

Thank you Deependra and http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385.
Comment 6 Daniel Walsh 2008-12-03 17:20:41 EST
Hopefully selinux-policy-2.4.6-198.el5 will be in the RHEL5.3 update.

Note You need to log in before you can comment on or make changes to this bug.