Summary: SELinux is preventing /usr/libexec/dovecot/auth "ipc_lock" access . Detailed Description: [auth has a permissive type (dovecot_auth_t). This access was not denied.] SELinux denied access requested by auth. It is not expected that this access is required by auth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:dovecot_auth_t:s0 Target Context unconfined_u:system_r:dovecot_auth_t:s0 Target Objects None [ capability ] Source auth Source Path /usr/libexec/dovecot/auth Port <Unknown> Host (removed) Source RPM Packages dovecot-2.0.5-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Sat 09 Oct 2010 01:04:28 AM CEST Last Seen Sat 09 Oct 2010 01:04:28 AM CEST Local ID 18f58231-2170-45a2-af7f-a6aa934918cd Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1286579068.871:15208): avc: denied { ipc_lock } for pid=3491 comm="auth" capability=14 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability node=(removed) type=SYSCALL msg=audit(1286579068.871:15208): arch=c000003e syscall=149 success=yes exit=0 a0=1cf5700 a1=a a2=0 a3=7 items=0 ppid=3427 pid=3491 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="auth" exe="/usr/libexec/dovecot/auth" subj=unconfined_u:system_r:dovecot_auth_t:s0 key=(null) Hash String generated from catchall,auth,dovecot_auth_t,dovecot_auth_t,capability,ipc_lock audit2allow suggests: #============= dovecot_auth_t ============== allow dovecot_auth_t self:capability ipc_lock;
Miroslav we probably need this in F13. Fixed in selinux-policy-3.9.6-3.fc14
How are you authenticating on this system?
I am authenticating using my UNIX password. What's special on this system is that I am using pam_mount in /etc/pam.d/password-auth. pam_mount seems to call mlock() which corresponds to "syscall=149", if I am not mistaken. (BTW, it would be nice if the troubleshooter translated the syscall numbers to names.)
It will in Fedora 15. Why would pam_mount be used in password-auth? Seems strange.
I put it there. Maybe it is not the optimal place for it, but I wasn't really sure where it would be the best. The idea is to have my home directory (which is on a LUKS encrypted LV) mounted whether I login via gdm or sshd. "password-auth" is included from pam configs of both of them. Is there a better way?
Well you could put it in sshd and gdm pam file.
Or you can skip around the pam_mount call with pam_succeed_if and a jump such as: auth [success=1 default=ignore] pam_succeed_if.so service notin sshd:gdm
selinux-policy-3.9.7-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-1.fc14
selinux-policy-3.9.7-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-1.fc14
selinux-policy-3.9.7-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.