John Lindgren wrote:
Hello Stephan,
# rpm -qa | grep policy selinux-policy-devel-2.6.4-8.fc7 checkpolicy-2.0.2-1.fc7 selinux-policy-targeted-2.6.4-8.fc7 selinux-policy-2.6.4-8.fc7 policycoreutils-2.0.16-2.fc7
# cat local.te
module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== logging_send_audit_msg(dovecot_auth_t);
# make -f /usr/share/selinux/devel/Makefile Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:11:ERROR 'permission ioctl is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission append is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission bind is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission connect is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission shutdown is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission nlmsg_read is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
But besides that, is the problem dovecot_auth failing or is it pam failing? With dovecot in debug mode, and selinux enabled so that pop logins through pam will fail, here are some logs of a failed login:
# cat /var/log/maillog | grep dovecot Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1 AGpvaG5ueQBxd2VdW3A= Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): lookup service=dovecot Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): pam_authenticate() failed: System error Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1 user=johnny
# cat /var/log/secure Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission denied
# cat /var/log/audit/audit.log type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)'
Here's a successful one with selinux in permissive:
# cat /var/log/audit/audit.log type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)'
What next?
John
Stephen Smalley wrote:
On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:
Hi, New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te: module local 1.0;
require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; }
#============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };
semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...
Anyone else having this problem?
The policy contains certain assertions (neverallow rules) to prevent accidental adding of allow rules that are highly security sensitive or that indicate a mistake in labeling.
To override such assertions, you have to add an appropriate type attribute to the type to enable it to pass the neverallow rule. This is usually done by using the right refpolicy interface. In this case, that appears to be: logging_send_audit_msg(dovecot_auth_t)
So replace those two allow rules with the above interface call.
Karl, any reason audit2allow didn't find that interface automatically?
Please try selinux-policy-2.6.4-13.fc7 currently in testing and moving to updates.