dovecot_auth_t wants capability audit_write and netlink_audit_socket create
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 5 21:15:00 UTC 2007
John Lindgren wrote:
> Hello Stephan,
>
> # rpm -qa | grep policy
> selinux-policy-devel-2.6.4-8.fc7
> checkpolicy-2.0.2-1.fc7
> selinux-policy-targeted-2.6.4-8.fc7
> selinux-policy-2.6.4-8.fc7
> policycoreutils-2.0.16-2.fc7
>
> # cat local.te
>
> module local 1.0;
>
> require {
> type dovecot_auth_t;
> class capability audit_write;
> class netlink_audit_socket { write nlmsg_relay create read };
> }
>
> #============= dovecot_auth_t ==============
> logging_send_audit_msg(dovecot_auth_t);
>
>
> # make -f /usr/share/selinux/devel/Makefile
> Compiling targeted local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> local.te:11:ERROR 'permission ioctl is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission getattr is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission setattr is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission append is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission bind is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission connect is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission getopt is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission setopt is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission shutdown is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> local.te:11:ERROR 'permission nlmsg_read is not defined for class
> netlink_audit_socket' at token ';' on line 80631:
> allow dovecot_auth_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr append bind connect getopt setopt
> shutdown } } nlmsg_read nlmsg_relay };
> #line 11
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/local.mod] Error 1
>
>
> But besides that, is the problem dovecot_auth failing or is it pam
> failing? With dovecot in debug mode, and selinux enabled so that pop
> logins through pam will fail, here are some logs of a failed login:
>
> # cat /var/log/maillog | grep dovecot
> Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1
> AGpvaG5ueQBxd2VdW3A=
> Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4):
> lookup service=dovecot
> Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4):
> pam_authenticate() failed: System error
> Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1
> user=johnny
>
>
> # cat /var/log/secure
> Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission
> denied
>
>
> # cat /var/log/audit/audit.log
> type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for
> pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
> tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003
> syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0
> items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth"
> exe="/usr/libexec/dovecot/dovecot-auth"
> subj=root:system_r:dovecot_auth_t:s0 key=(null)
> type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for
> pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
> tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay
> } for pid=9030 comm="dovecot-auth"
> scontext=root:system_r:dovecot_auth_t:s0 tcontext=root
> :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH
> msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj=
> root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne :
> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17,
> addr=71.113.46.17, terminal=dovecot res=success)'
> type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003
> syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4
> a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth"
> exe="/usr/libexec/dovecot/dovecot-auth"
> subj=root:system_r:dovecot_auth_t:s0 key=(null)
> type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for
> pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
> tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003
> syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e
> items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth"
> exe="/usr/libexec/dovecot/dovecot-auth"
> subj=root:system_r:dovecot_auth_t:s0 key=(null)
> type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0
> auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting
> acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth"
> (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)'
>
> Here's a successful one with selinux in permissive:
>
> # cat /var/log/audit/audit.log
> type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0
> auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication
> acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth"
> (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot
> res=success)'
> type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0
> auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting
> acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth"
> (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot
> res=success)'
>
> What next?
>
> John
>
> Stephen Smalley wrote:
>> On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:
>>
>>> Hi,
>>> New to this list, not totally new to selinux.
>>>
>>> Running F7 with everything current (06/04/2007), policy is
>>> selinux-policy-targeted-2.6.4-8.fc7.
>>>
>>> cat /var/log/audit/audit.log:
>>> type=AVC msg=audit(1181003986.020:18662): avc: denied {
>>> audit_write } for pid=13774 comm="dovecot-auth" capability=29
>>> scontext=root:system_r:dovecot_auth_t:s0
>>> tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
>>>
>>> type=AVC msg=audit(1181003859.499:18627): avc: denied { create }
>>> for pid=1352 0 comm="dovecot-auth"
>>> scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys
>>> tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
>>>
>>>
>>> cat /var/log/audit/audit.log | audit2allow -M local:
>>>
>>>
>>> cat local.te:
>>> module local 1.0;
>>>
>>> require {
>>> type dovecot_auth_t;
>>> class capability audit_write;
>>> class netlink_audit_socket { write nlmsg_relay create read };
>>> }
>>>
>>> #============= dovecot_auth_t ==============
>>> allow dovecot_auth_t self:capability audit_write;
>>> allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay
>>> create read };
>>>
>>>
>>> semodule -i local.pp:
>>> libsepol.check_assertion_helper: assertion on line 0 violated by
>>> allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket {
>>> nlmsg_relay };
>>> libsepol.check_assertion_helper: assertion on line 0 violated by
>>> allow dovecot_auth_t dovecot_auth_t:capability { audit_write };
>>> libsepol.check_assertions: 2 assertion violations occured
>>> libsemanage.semanage_expand_sandbox: Expand module failed
>>> semodule: Failed!
>>>
>>> Should I add something magical (what, I'm not sure) to the .te to
>>> allow this anyway? Or is there something missing from the
>>> distribution targeted policy? Or edit the base policy and recompile
>>> the whole thing? Or...
>>>
>>> Anyone else having this problem?
>>
>>
>> The policy contains certain assertions (neverallow rules) to prevent
>> accidental adding of allow rules that are highly security sensitive or
>> that indicate a mistake in labeling.
>>
>> To override such assertions, you have to add an appropriate type
>> attribute to the type to enable it to pass the neverallow rule. This is
>> usually done by using the right refpolicy interface. In this case, that
>> appears to be:
>> logging_send_audit_msg(dovecot_auth_t)
>>
>> So replace those two allow rules with the above interface call.
>>
>> Karl, any reason audit2allow didn't find that interface automatically?
>>
Please try selinux-policy-2.6.4-13.fc7 currently in testing and moving
to updates.
More information about the selinux
mailing list