Red Hat Bugzilla – Bug 474233
selinux prevents dovecot-auth appending to faillog
Last modified: 2009-02-07 06:52:55 EST
Description of problem: SELinux is preventing dovecot-auth (dovecot_auth_t) "append" to ./faillog (faillog_t). SELinux denied access requested by dovecot-auth. It is not expected that this access is required by dovecot-auth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Version-Release number of selected component (if applicable): dovecot-1.0.7-2.el5 selinux-policy-2.4.6-137.1.el5_2 How reproducible: In /etc/pam.d/system-auth-ac, added following lines to detect password fails: auth required pam_tally.so onerr=fail deny=3 even_deny_root_account account required pam_tally.so no_reset Steps to Reproduce: 1. 2. 3. Actual results: /var/log/secure gives errors like the following: dovecot-auth: pam_tally(dovecot:auth): Couldn't create /var/log/faillog Expected results: If a user/hacker mistypes a user password, that user's username with the number of mistypes should be registered in /var/log/faillog. Additional info: Initially, I received sealerts with the following subject: SELinux is preventing dovecot-auth (dovecot_auth_t) "search" to ./log (var_log_t). So, I tried adding the following rule: grep dovecot-auth /var/log/audit/audit.log | audit2allow -M mydovecotauth semodule -i mydovecotauth.pp Since that only gave me the next sealert, and I'm not sure what to do in selinux, I decided to ask you what should be done. It's a bug to me.
Hmm, Seems like this policy works:- policy_module(mydovecot, 1.0) require { type dovecot_auth_t; type var_log_t; type faillog_t; } #============= dovecot_auth_t ============== allow dovecot_auth_t faillog_t:file { read write getattr append }; allow dovecot_auth_t var_log_t:dir search;
Fixed in selinux-policy-2.4.6-198.el5.src.rpm
If this is fixed in selinux-policy-2.4.6-198.el5.src.rpm shouldn't el5 auto updates have updated selinux by now? I currently have the following: selinux-policy-strict-2.4.6-137.1.el5_2 selinux-policy-2.4.6-137.1.el5_2 selinux-policy-devel-2.4.6-137.1.el5_2 selinux-policy-targeted-2.4.6-137.1.el5_2 selinux-policy-mls-2.4.6-137.1.el5_2 But on the FC9 systems I just received the following update: selinux-policy-devel-3.3.1-111.fc9.noarch selinux-policy-3.3.1-111.fc9.noarch selinux-policy-targeted-3.3.1-111.fc9.noarch Regarding Deependra's reply do I just create another pp file like mydovecotfix.pp with the code from comment #1, and then run semodule -i mydovecotfix.pp?
Ok, I'm an idiot. I found http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 which tells me what to do with Deependra's code. I'll try that and let you all know if that works. Meanwhile, do I need to build selinux-policy from source, or will the update of elinux-policy-2.4.6-198.el5 automatically occur?
Deependra's code gave some errors. So, I modified it as follows: module mydovecotauth 1.0; require { type dovecot_auth_t; type var_log_t; type faillog_t; class dir search; class file read; class file write; class file getattr; class file append; } #============= dovecot_auth_t ============== allow dovecot_auth_t faillog_t:file { read write getattr append }; allow dovecot_auth_t var_log_t:dir search; This compiled. So, I loaded it. And, faillog is updated on a failed password entry as expected. Thank you Deependra and http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385.
Hopefully selinux-policy-2.4.6-198.el5 will be in the RHEL5.3 update.