Description of problem: I'm trying to run ejabberd with PAM authentication, but SELinux shoots that down. I have the following in my /etc/ejabberd/ejabberd.conf: ---- >8 ---- {auth_method, pam}. {pam_service, "login"}. ---- 8< ---- SELinux is preventing /usr/lib64/ejabberd/priv/bin/epam from 'execute' accesses on the file /usr/sbin/unix_chkpwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that epam should be allowed execute access on the unix_chkpwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep epam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rabbitmq_beam_t:s0 Target Context system_u:object_r:chkpwd_exec_t:s0 Target Objects /usr/sbin/unix_chkpwd [ file ] Source epam Source Path /usr/lib64/ejabberd/priv/bin/epam Port <Unknown> Host (removed) Source RPM Packages ejabberd-2.1.13-1.fc19.x86_64 Target RPM Packages pam-1.1.6-12.fc19.x86_64 Policy RPM selinux-policy-3.12.1-66.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.5-301.fc19.x86_64 #1 SMP Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64 Alert Count 22 First Seen 2013-08-02 17:55:42 MSK Last Seen 2013-08-05 11:59:25 MSK Local ID 2ca6cf7d-7c9c-4336-b951-f3fe41732f36 Raw Audit Messages type=AVC msg=audit(1375689565.280:1588): avc: denied { execute } for pid=9920 comm="epam" name="unix_chkpwd" dev="dm-3" ino=1598665 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1375689565.280:1588): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fdd33925b38 a1=7fff724213b0 a2=7fdd33b2c3a0 a3=0 items=0 ppid=28188 pid=9920 auid=4294967295 uid=991 gid=989 euid=0 suid=0 fsuid=0 egid=989 sgid=989 fsgid=989 ses=4294967295 tty=(none) comm=epam exe=/usr/lib64/ejabberd/priv/bin/epam subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) Hash: epam,rabbitmq_beam_t,chkpwd_exec_t,file,execute Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
*** Bug 992938 has been marked as a duplicate of this bug. ***
*** Bug 992948 has been marked as a duplicate of this bug. ***
*** Bug 992946 has been marked as a duplicate of this bug. ***
*** Bug 992950 has been marked as a duplicate of this bug. ***
*** Bug 992952 has been marked as a duplicate of this bug. ***
*** Bug 992949 has been marked as a duplicate of this bug. ***
commit 4e2afb1784a0f572ccb0223dc825eb7b56d8a094 Author: Miroslav Grepl <mgrepl> Date: Mon Aug 5 16:43:34 2013 +0200 Add fixes for rabbit to fix ##992920,#992931
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Package selinux-policy-3.12.1-71.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.