Bug 842818 - SELinux problem saslauthd cannot work with MECH=shadow
SELinux problem saslauthd cannot work with MECH=shadow
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
medium Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-24 12:13 EDT by David Spurek
Modified: 2015-03-02 00:27 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-159.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:25:56 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Spurek 2012-07-24 12:13:36 EDT
Description of problem:

type=SYSCALL msg=audit(1343144349.886:25757): arch=c000003e syscall=2 success=no exit=-13 a0=7f09300996bb a1=80000 a2=1b6 a3=0 items=0 ppid=1 pid=12930 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="saslauthd" exe="/usr/sbin/saslauthd" subj=unconfined_u:system_r:saslauthd_t:s0 key=(null)
type=AVC msg=audit(1343144349.886:25757): avc:  denied  { dac_read_search } for  pid=12930 comm="saslauthd" capability=2  scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=unconfined_u:system_r:saslauthd_t:s0 tclass=capability
type=AVC msg=audit(1343144349.886:25757): avc:  denied  { dac_override } for  pid=12930 comm="saslauthd" capability=1  scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=unconfined_u:system_r:saslauthd_t:s0 tclass=capability

boolean allow_saslauthd_read_shadow set on:

getsebool -a | grep sasl
allow_saslauthd_read_shadow --> on

sesearch --all -C | grep allow_sasl
ERROR: Cannot get avrules: Neverallow rules requested but not available
DT allow saslauthd_t shadow_t : file { ioctl read getattr lock open } ; [ allow_saslauthd_read_shadow ]
DT allow saslauthd_t etc_t : dir { ioctl read getattr lock search open } ; [ allow_saslauthd_read_shadow ]


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-154.el6

How reproducible:
always

Steps to Reproduce:
1. run test /CoreOS/cyrus-sasl/Sanity/sanity-saslauthd-and-Cyrus-SASL-Plugins

Actual results:
testsaslauthd -u testuser -p redhat in first Test Phase FAIL
    0: NO "authentication failed"

Expected results:
testsaslauthd -u testuser -p redhat in first Test Phase PASS
    0: OK "Success."

Additional info:
Comment 1 Milos Malik 2012-07-24 12:35:09 EDT
Following AVCs were seen in permissive mode:
----
time->Tue Jul 24 18:32:01 2012
type=SYSCALL msg=audit(1343147521.798:21101): arch=40000003 syscall=156 success=yes exit=0 a0=46e7 a1=0 a2=bff305f4 a3=b7762740 items=0 ppid=1 pid=18151 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24 comm="saslauthd" exe="/usr/sbin/saslauthd" subj=unconfined_u:system_r:saslauthd_t:s0 key=(null)
type=AVC msg=audit(1343147521.798:21101): avc:  denied  { setsched } for  pid=18151 comm="saslauthd" scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=unconfined_u:system_r:saslauthd_t:s0 tclass=process
type=AVC msg=audit(1343147521.798:21101): avc:  denied  { sys_nice } for  pid=18151 comm="saslauthd" capability=23  scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=unconfined_u:system_r:saslauthd_t:s0 tclass=capability
----
time->Tue Jul 24 18:32:01 2012
type=SYSCALL msg=audit(1343147521.794:21100): arch=40000003 syscall=5 success=yes exit=8 a0=1e2f19 a1=80000 a2=1b6 a3=1e2eb5 items=0 ppid=1 pid=18151 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24 comm="saslauthd" exe="/usr/sbin/saslauthd" subj=unconfined_u:system_r:saslauthd_t:s0 key=(null)
type=AVC msg=audit(1343147521.794:21100): avc:  denied  { dac_override } for  pid=18151 comm="saslauthd" capability=1  scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=unconfined_u:system_r:saslauthd_t:s0 tclass=capability
----
Comment 2 Daniel Walsh 2012-07-24 13:16:48 EDT
Can you turn on full auditing so that we can see what path dac_override is complaining about?
Comment 3 Milos Malik 2012-07-25 03:07:03 EDT
----
time->Wed Jul 25 09:00:25 2012
type=SYSCALL msg=audit(1343199625.891:21839): arch=40000003 syscall=156 success=yes exit=0 a0=c2f a1=0 a2=bf980cd4 a3=b75df740 items=0 ppid=1 pid=3119 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="saslauthd" exe="/usr/sbin/saslauthd" subj=unconfined_u:system_r:saslauthd_t:s0 key=(null)
type=AVC msg=audit(1343199625.891:21839): avc:  denied  { setsched } for  pid=3119 comm="saslauthd" scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=unconfined_u:system_r:saslauthd_t:s0 tclass=process
type=AVC msg=audit(1343199625.891:21839): avc:  denied  { sys_nice } for  pid=3119 comm="saslauthd" capability=23  scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=unconfined_u:system_r:saslauthd_t:s0 tclass=capability
----
time->Wed Jul 25 09:00:25 2012
type=PATH msg=audit(1343199625.882:21838): item=0 name="/etc/shadow" inode=187619 dev=08:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=CWD msg=audit(1343199625.882:21838):  cwd="/var/run/saslauthd"
type=SYSCALL msg=audit(1343199625.882:21838): arch=40000003 syscall=5 success=yes exit=8 a0=4fcf19 a1=80000 a2=1b6 a3=4fceb5 items=1 ppid=1 pid=3119 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="saslauthd" exe="/usr/sbin/saslauthd" subj=unconfined_u:system_r:saslauthd_t:s0 key=(null)
type=AVC msg=audit(1343199625.882:21838): avc:  denied  { dac_override } for  pid=3119 comm="saslauthd" capability=1  scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=unconfined_u:system_r:saslauthd_t:s0 tclass=capability
----
Comment 5 Miroslav Grepl 2012-08-07 19:45:49 EDT
Fixed in selinux-policy-3.7.19-159.el6
Comment 8 errata-xmlrpc 2013-02-21 03:25:56 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.