Bug 788222 - dovecot-auth is prevented from creating Kerberos cache files
dovecot-auth is prevented from creating Kerberos cache files
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-07 14:19 EST by Ben Webb
Modified: 2014-09-30 19:33 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-26 05:01:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ben Webb 2012-02-07 14:19:55 EST
Description of problem:
Whenever I connect to our IMAPS server (RHEL 5.7 x86_64 system) from a Fedora 16 client using Kerberos auth, the server logs an avc similar to the following:

Feb  7 11:02:26 guitar kernel: type=1400 audit(1328641346.769:495): avc:  denied  { create } for  pid=16719 comm="dovecot-auth" name="krb5_RC16719aaa" scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file

(The IMAP connection succeeds however because this server is currently running SELinux in permissive mode, for unrelated reasons.)


Version-Release number of selected component (if applicable):
dovecot-1.0.7-7.el5_7.1
selinux-policy-targeted-2.4.6-316.el5


How reproducible:
Always.

Steps to Reproduce:
1. Install dovecot on the server, and an IMAP client.
2. Add both machines to the same Kerberos realm.
3. Check mail via IMAP.
  
Actual results:
The avc shown above is logged on the server.

Expected results:
No avc.

Additional info:
As a workaround, I used audit2allow to make the following custom policy module:

module local 1.0;

require {
	type dovecot_auth_t;
	type krb5_host_rcache_t;
	class file create;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t krb5_host_rcache_t:file create;

and then loaded it with
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp

But for some reason the avcs continue. Is there some reason why this wouldn't work? I have other custom policy on this machine which works just fine (so I'm pretty sure I'm building and loading the module successfully ;)
Comment 1 Miroslav Grepl 2012-02-08 04:53:32 EST
Could you attach raw AVC message?
Comment 2 Ben Webb 2012-02-08 11:47:57 EST
I don't understand - isn't the excerpt I attached in the original report from /var/log/messages the raw AVC? (I don't run auditd on this machine.) If not, what do you need?
Comment 3 Miroslav Grepl 2012-02-08 12:21:43 EST
Ah, I apologize, I missed it.
Comment 4 RHEL Product and Program Management 2012-04-02 07:22:28 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 7 RHEL Product and Program Management 2012-07-16 11:08:44 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 9 Michal Trunecka 2012-09-03 10:10:18 EDT
Hi Ben,
we have just reproduced the steps you described and it worked without AVCs. Could you retest your scenario with the latest policy available at following URL?

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 10 Ben Webb 2012-09-03 12:23:49 EDT
(In reply to comment #9)
> Could you retest your scenario with the latest policy

Sorry, I updated this machine to RHEL 6 long ago, which doesn't seem to have this problem.

Note You need to log in before you can comment on or make changes to this bug.