Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
John
John Lindgren wrote:
Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
Yep, I am. Got tired of tinkering last night and just put it in permissive mode for the time being.
I'm getting slightly different .te file, but ultimately the same 2 assertion violations.
Matt
Hi Matthew, Do you have this as well? fixfiles check; matchpathcon_filespec_add: conflicting specifications for /var/lib/dovecot/ssl-parameters.dat and /var/run/dovecot/login/ssl-parameters.dat, using system_u:object_r:dovecot_var_run_t:s0.
Don't know if there is a connection yet... not expert.
John
Matthew Gillen wrote:
John Lindgren wrote:
Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
Yep, I am. Got tired of tinkering last night and just put it in permissive mode for the time being.
I'm getting slightly different .te file, but ultimately the same 2 assertion violations.
Matt
2007-06-04 (月) の 21:25 -0400 に Matthew Gillen さんは書きました:
John Lindgren wrote:
Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
Yep, I am. Got tired of tinkering last night and just put it in permissive mode for the time being.
I'm getting slightly different .te file, but ultimately the same 2 assertion violations.
Matt
Same here ...
I yum installed every selinux related packages. I made localaudit.pp typing #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te at /usr/share/selinux/devel #semodule -i localaudit.pp violation reported by libsepol.chek_assertions
local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; local_login_t local_login_t:capability { audit_write }; local_login_t local_login_t:capability { audit_control };
So,I commented those lines on localaudit.te including require brace. This time I succeeded installing localaudit.pp.
I restarted my machine setting Enforcing/strict. During the startup process, I could see Keymap had failed. I can't login from console. I typed like a US key not jp106, still I can't.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:
Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
The policy contains certain assertions (neverallow rules) to prevent accidental adding of allow rules that are highly security sensitive or that indicate a mistake in labeling.
To override such assertions, you have to add an appropriate type attribute to the type to enable it to pass the neverallow rule. This is usually done by using the right refpolicy interface. In this case, that appears to be: logging_send_audit_msg(dovecot_auth_t)
So replace those two allow rules with the above interface call.
Karl, any reason audit2allow didn't find that interface automatically?
Hello Stephan,
# rpm -qa | grep policy selinux-policy-devel-2.6.4-8.fc7 checkpolicy-2.0.2-1.fc7 selinux-policy-targeted-2.6.4-8.fc7 selinux-policy-2.6.4-8.fc7 policycoreutils-2.0.16-2.fc7
# cat local.te
module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== logging_send_audit_msg(dovecot_auth_t);
# make -f /usr/share/selinux/devel/Makefile Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:11:ERROR 'permission ioctl is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission append is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission bind is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission connect is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission shutdown is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission nlmsg_read is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
But besides that, is the problem dovecot_auth failing or is it pam failing? With dovecot in debug mode, and selinux enabled so that pop logins through pam will fail, here are some logs of a failed login:
# cat /var/log/maillog | grep dovecot Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1 AGpvaG5ueQBxd2VdW3A= Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): lookup service=dovecot Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): pam_authenticate() failed: System error Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1 user=johnny
# cat /var/log/secure Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission denied
# cat /var/log/audit/audit.log type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)'
Here's a successful one with selinux in permissive:
# cat /var/log/audit/audit.log type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)'
What next?
John
Stephen Smalley wrote:
On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:
Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
The policy contains certain assertions (neverallow rules) to prevent accidental adding of allow rules that are highly security sensitive or that indicate a mistake in labeling.
To override such assertions, you have to add an appropriate type attribute to the type to enable it to pass the neverallow rule. This is usually done by using the right refpolicy interface. In this case, that appears to be: logging_send_audit_msg(dovecot_auth_t)
So replace those two allow rules with the above interface call.
Karl, any reason audit2allow didn't find that interface automatically?
John Lindgren wrote:
Hello Stephan,
# rpm -qa | grep policy selinux-policy-devel-2.6.4-8.fc7 checkpolicy-2.0.2-1.fc7 selinux-policy-targeted-2.6.4-8.fc7 selinux-policy-2.6.4-8.fc7 policycoreutils-2.0.16-2.fc7
# cat local.te
module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== logging_send_audit_msg(dovecot_auth_t);
# make -f /usr/share/selinux/devel/Makefile Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:11:ERROR 'permission ioctl is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission append is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission bind is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission connect is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission shutdown is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission nlmsg_read is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
But besides that, is the problem dovecot_auth failing or is it pam failing? With dovecot in debug mode, and selinux enabled so that pop logins through pam will fail, here are some logs of a failed login:
# cat /var/log/maillog | grep dovecot Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1 AGpvaG5ueQBxd2VdW3A= Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): lookup service=dovecot Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): pam_authenticate() failed: System error Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1 user=johnny
# cat /var/log/secure Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission denied
# cat /var/log/audit/audit.log type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)'
Here's a successful one with selinux in permissive:
# cat /var/log/audit/audit.log type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)'
What next?
John
Stephen Smalley wrote:
On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:
Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
The policy contains certain assertions (neverallow rules) to prevent accidental adding of allow rules that are highly security sensitive or that indicate a mistake in labeling.
To override such assertions, you have to add an appropriate type attribute to the type to enable it to pass the neverallow rule. This is usually done by using the right refpolicy interface. In this case, that appears to be: logging_send_audit_msg(dovecot_auth_t)
So replace those two allow rules with the above interface call.
Karl, any reason audit2allow didn't find that interface automatically?
Please try selinux-policy-2.6.4-13.fc7 currently in testing and moving to updates.
I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;)
Will upgrade to the new policy later tonight.
Should I then remove the local.pp I just compiled and see what messages I get?
John
Daniel J Walsh wrote:
John Lindgren wrote:
Hello Stephan,
# rpm -qa | grep policy selinux-policy-devel-2.6.4-8.fc7 checkpolicy-2.0.2-1.fc7 selinux-policy-targeted-2.6.4-8.fc7 selinux-policy-2.6.4-8.fc7 policycoreutils-2.0.16-2.fc7
# cat local.te
module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== logging_send_audit_msg(dovecot_auth_t);
# make -f /usr/share/selinux/devel/Makefile Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:11:ERROR 'permission ioctl is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission append is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission bind is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission connect is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission shutdown is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission nlmsg_read is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
But besides that, is the problem dovecot_auth failing or is it pam failing? With dovecot in debug mode, and selinux enabled so that pop logins through pam will fail, here are some logs of a failed login:
# cat /var/log/maillog | grep dovecot Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1 AGpvaG5ueQBxd2VdW3A= Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): lookup service=dovecot Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): pam_authenticate() failed: System error Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1 user=johnny
# cat /var/log/secure Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission denied
# cat /var/log/audit/audit.log type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)'
Here's a successful one with selinux in permissive:
# cat /var/log/audit/audit.log type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)'
What next?
John
Stephen Smalley wrote:
On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:
Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
The policy contains certain assertions (neverallow rules) to prevent accidental adding of allow rules that are highly security sensitive or that indicate a mistake in labeling.
To override such assertions, you have to add an appropriate type attribute to the type to enable it to pass the neverallow rule. This is usually done by using the right refpolicy interface. In this case, that appears to be: logging_send_audit_msg(dovecot_auth_t)
So replace those two allow rules with the above interface call.
Karl, any reason audit2allow didn't find that interface automatically?
Please try selinux-policy-2.6.4-13.fc7 currently in testing and moving to updates.
John Lindgren wrote:
I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;)
Will upgrade to the new policy later tonight.
Should I then remove the local.pp I just compiled and see what messages I get?
John
yes
Thank You for your help!
John
Daniel J Walsh wrote:
John Lindgren wrote:
I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;)
Will upgrade to the new policy later tonight.
Should I then remove the local.pp I just compiled and see what messages I get?
John
yes
Just to close this thread out:
I upgraded to: # rpm -qa|grep selinux-policy selinux-policy-targeted-2.6.4-13.fc7 selinux-policy-2.6.4-13.fc7 selinux-policy-devel-2.6.4-13.fc7
removed the the local.pp I made earlier: # semodule -r local
forced a reload of the policy: # semodule -R
rotated the audit log: # logrotate -f /etc/logrotate.d/audit
Then I went and exercised the mail system, sendmail, mailman, MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I remember when it was simpler.
took a look at the fresh audit.log # audit2allow -a
And there were all the usual suspects: #============= clamscan_t ============== allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name }; allow clamscan_t clamd_var_lib_t:file { write create unlink }; allow clamscan_t initrc_tmp_t:dir { search setattr read create write getattr rmd ir remove_name add_name }; allow clamscan_t initrc_tmp_t:file { write getattr read lock create unlink }; allow clamscan_t tmpfs_t:dir { read search getattr }; allow clamscan_t tmpfs_t:file { read getattr }; allow clamscan_t var_spool_t:file { read write };
#============= httpd_t ============== allow httpd_t pop_port_t:tcp_socket name_connect;
#============= procmail_t ============== allow procmail_t var_spool_t:file read;
#============= system_mail_t ============== allow system_mail_t httpd_t:file read;
But notice, NO DOVECOT!
made a module: # cat /var/log/audit/audit.log | audit2allow -M localMAIL
installed it: # semodule -i localMAIL.pp
put selinux back into enforce: # setenforce 1
and re-rotated the log: # logrotate -f /etc/logrotate.d/audit
Then sat back and waited for the phone to ring... {quiet}
Confirmed with: # audit2allow -a
And got nothing. Everything working great now.
New policy package fixed dovecot problem, Thanks Again.
John
John Lindgren wrote:
Thank You for your help!
John
Daniel J Walsh wrote:
John Lindgren wrote:
I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;)
Will upgrade to the new policy later tonight.
Should I then remove the local.pp I just compiled and see what messages I get?
John
yes
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
John Lindgren wrote:
Just to close this thread out:
I upgraded to: # rpm -qa|grep selinux-policy selinux-policy-targeted-2.6.4-13.fc7 selinux-policy-2.6.4-13.fc7 selinux-policy-devel-2.6.4-13.fc7
removed the the local.pp I made earlier: # semodule -r local
forced a reload of the policy: # semodule -R
rotated the audit log: # logrotate -f /etc/logrotate.d/audit
Then I went and exercised the mail system, sendmail, mailman, MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I remember when it was simpler.
took a look at the fresh audit.log # audit2allow -a
And there were all the usual suspects: #============= clamscan_t ============== allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name }; allow clamscan_t clamd_var_lib_t:file { write create unlink };
clamscan writes file in /var/lib/clamav?
allow clamscan_t initrc_tmp_t:dir { search setattr read create write getattr rmd ir remove_name add_name };
This should probably be dontaudited especially the create/write parts
allow clamscan_t initrc_tmp_t:file { write getattr read lock create unlink }; allow clamscan_t tmpfs_t:dir { read search getattr }; allow clamscan_t tmpfs_t:file { read getattr };
What are these for?
allow clamscan_t var_spool_t:file { read write };
This looks like something is mislabeled? What file is labeled var_spool_t that clamscan is trying to write?
#============= httpd_t ============== allow httpd_t pop_port_t:tcp_socket name_connect;
setsebool -P httpd_can_sendmail=1
should fix this
#============= procmail_t ============== allow procmail_t var_spool_t:file read;
Same mislabeled file from above?
#============= system_mail_t ============== allow system_mail_t httpd_t:file read;
Why would system mail be looking at httpd process data?
But notice, NO DOVECOT!
made a module: # cat /var/log/audit/audit.log | audit2allow -M localMAIL
installed it: # semodule -i localMAIL.pp
put selinux back into enforce: # setenforce 1
and re-rotated the log: # logrotate -f /etc/logrotate.d/audit
Then sat back and waited for the phone to ring... {quiet}
Confirmed with: # audit2allow -a
And got nothing. Everything working great now.
New policy package fixed dovecot problem, Thanks Again.
John
John Lindgren wrote:
Thank You for your help!
John
Daniel J Walsh wrote:
John Lindgren wrote:
I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;)
Will upgrade to the new policy later tonight.
Should I then remove the local.pp I just compiled and see what messages I get?
John
yes
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Tue, 2007-06-05 at 15:51 -0700, John Lindgren wrote:
Just to close this thread out:
I upgraded to: # rpm -qa|grep selinux-policy selinux-policy-targeted-2.6.4-13.fc7 selinux-policy-2.6.4-13.fc7 selinux-policy-devel-2.6.4-13.fc7
removed the the local.pp I made earlier: # semodule -r local
forced a reload of the policy: # semodule -R
rotated the audit log: # logrotate -f /etc/logrotate.d/audit
Then I went and exercised the mail system, sendmail, mailman, MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I remember when it was simpler.
took a look at the fresh audit.log # audit2allow -a
And there were all the usual suspects: #============= clamscan_t ============== allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name }; allow clamscan_t clamd_var_lib_t:file { write create unlink }; allow clamscan_t initrc_tmp_t:dir { search setattr read create write getattr rmd ir remove_name add_name }; allow clamscan_t initrc_tmp_t:file { write getattr read lock create unlink }; allow clamscan_t tmpfs_t:dir { read search getattr }; allow clamscan_t tmpfs_t:file { read getattr }; allow clamscan_t var_spool_t:file { read write };
#============= httpd_t ============== allow httpd_t pop_port_t:tcp_socket name_connect;
#============= procmail_t ============== allow procmail_t var_spool_t:file read;
#============= system_mail_t ============== allow system_mail_t httpd_t:file read;
But notice, NO DOVECOT!
made a module: # cat /var/log/audit/audit.log | audit2allow -M localMAIL
installed it: # semodule -i localMAIL.pp
put selinux back into enforce: # setenforce 1
and re-rotated the log: # logrotate -f /etc/logrotate.d/audit
Then sat back and waited for the phone to ring... {quiet}
Confirmed with: # audit2allow -a
And got nothing. Everything working great now.
New policy package fixed dovecot problem, Thanks Again.
I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7)
I needed to add the following:
# Allow dovecot to check passwords allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
before dovecot-auth could run /sbin/unix-update and authenticate IMAP clients.
Paul.
On Jun 17, 2007, at 16:27, Paul Howarth wrote:
I've still got a problem with dovecot-auth (selinux- policy-2.6.4-14.fc7) I needed to add the following: # Allow dovecot to check passwords allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
before dovecot-auth could run /sbin/unix-update and authenticate IMAP clients.
I've got pretty much the same problem -- dovecot failing to authenticate IMAP clients through PAM if selinux enforcing is enabled. However, even what Paul posted doesn't solve it for me.
dovecot-1.0.1-12.fc7 selinux-policy-targeted-2.6.4-14.fc7
dovecot is left to use the default settings, passdb: driver: pam userdb: driver: passwd
audit messages I'm getting are like: avc: denied { execute } for pid=4978 comm="dovecot-auth" name="unix_update" dev=dm-0 ino=96698486 scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file
other log messages on the failure: unix_chkpwd[4911]: could not get username from shadow (username)) dovecot-auth: pam_unix(dovecot:account): unix_update returned error 9 dovecot: auth(default): pam(username,addr): lookup service=dovecot dovecot: auth(default): pam(username,addr): pam_acct_mgmt() failed: Authentication service cannot retrieve authentication info
Through a couple iterations of audit2allow and making a new module, I came up with this (pretty much the same Paul posted): require { type dovecot_auth_t; type updpwd_exec_t; class file { read execute execute_no_trans }; } allow dovecot_auth_t updpwd_exec_t:file { read execute execute_no_trans };
Which did succeed in eliminating all audit denial messages, yet it still keeps on failing and authentication still doesn't work.
As soon as I do setenforce 0 everything starts functioning fine.
Any ideas how could I make it work without disabling selinux?
Daniel Fazekas wrote:
On Jun 17, 2007, at 16:27, Paul Howarth wrote:
I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7) I needed to add the following: # Allow dovecot to check passwords allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
before dovecot-auth could run /sbin/unix-update and authenticate IMAP clients.
I've got pretty much the same problem -- dovecot failing to authenticate IMAP clients through PAM if selinux enforcing is enabled. However, even what Paul posted doesn't solve it for me.
dovecot-1.0.1-12.fc7 selinux-policy-targeted-2.6.4-14.fc7
dovecot is left to use the default settings, passdb: driver: pam userdb: driver: passwd
audit messages I'm getting are like: avc: denied { execute } for pid=4978 comm="dovecot-auth" name="unix_update" dev=dm-0 ino=96698486 scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file
other log messages on the failure: unix_chkpwd[4911]: could not get username from shadow (username)) dovecot-auth: pam_unix(dovecot:account): unix_update returned error 9 dovecot: auth(default): pam(username,addr): lookup service=dovecot dovecot: auth(default): pam(username,addr): pam_acct_mgmt() failed: Authentication service cannot retrieve authentication info
Through a couple iterations of audit2allow and making a new module, I came up with this (pretty much the same Paul posted): require { type dovecot_auth_t; type updpwd_exec_t; class file { read execute execute_no_trans }; } allow dovecot_auth_t updpwd_exec_t:file { read execute execute_no_trans };
Which did succeed in eliminating all audit denial messages, yet it still keeps on failing and authentication still doesn't work.
As soon as I do setenforce 0 everything starts functioning fine.
Any ideas how could I make it work without disabling selinux?
The problem was caused by the recent PAM update:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244534
Try updating selinux-policy from updates-testing: # yum --enablerepo=updates-testing update selinux-policy*
Paul.
selinux@lists.fedoraproject.org