Daniel Fazekas wrote:
On Jun 17, 2007, at 16:27, Paul Howarth wrote:
I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7) I needed to add the following: # Allow dovecot to check passwords allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
before dovecot-auth could run /sbin/unix-update and authenticate IMAP clients.
I've got pretty much the same problem -- dovecot failing to authenticate IMAP clients through PAM if selinux enforcing is enabled. However, even what Paul posted doesn't solve it for me.
dovecot-1.0.1-12.fc7 selinux-policy-targeted-2.6.4-14.fc7
dovecot is left to use the default settings, passdb: driver: pam userdb: driver: passwd
audit messages I'm getting are like: avc: denied { execute } for pid=4978 comm="dovecot-auth" name="unix_update" dev=dm-0 ino=96698486 scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file
other log messages on the failure: unix_chkpwd[4911]: could not get username from shadow (username)) dovecot-auth: pam_unix(dovecot:account): unix_update returned error 9 dovecot: auth(default): pam(username,addr): lookup service=dovecot dovecot: auth(default): pam(username,addr): pam_acct_mgmt() failed: Authentication service cannot retrieve authentication info
Through a couple iterations of audit2allow and making a new module, I came up with this (pretty much the same Paul posted): require { type dovecot_auth_t; type updpwd_exec_t; class file { read execute execute_no_trans }; } allow dovecot_auth_t updpwd_exec_t:file { read execute execute_no_trans };
Which did succeed in eliminating all audit denial messages, yet it still keeps on failing and authentication still doesn't work.
As soon as I do setenforce 0 everything starts functioning fine.
Any ideas how could I make it work without disabling selinux?
The problem was caused by the recent PAM update:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244534
Try updating selinux-policy from updates-testing: # yum --enablerepo=updates-testing update selinux-policy*
Paul.