-
February 22nd, 2006, 05:25 PM
#1
SELinux and saslauthd
Hi
I am puzzled with a particular SELinux policy configuration,
concerning saslauthd.
OS: Fedora Core 4.0 (2.6.11-1.1369_FC4smp)
Kernel-Ext: SELinux (Policy: 1.27.1)
I am running postfix, authentication enabled via saslauthd.
The smtp-setup works fine if I disable the policy (targeted)
using
If I enable the policy
authentication fails and I get the following error message:
Code:
type=AVC msg=audit(...:15424395): avc: denied { create } for pid=6819 comm="saslauthd" scontext=root:system_r:saslauthd_t tcontext=root:system_r:saslauthd_t tclass=unix_dgram_socket
type=SYSCALL msg=audit(...:15424395): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfd7c5f0 a2=235ff4 a3=82e0634 items=0 pid=6819 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="saslauthd" exe="/usr/sbin/saslauthd"
type=SOCKETCALL msg=audit(...:15424395): nargs=3 a0=1 a1=2 a2=0
However, if I check saslauthd.te, the creation of a unix_dgram_socket should be allowed
Code:
auditallow saslauthd_t self:unix_dgram_socket create_socket_perms;
(I modified the original file with auditallow).
Obviously, there is something I do not understand. Any hints/ideas?
Thanks &
Cheers
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
February 22nd, 2006, 08:40 PM
#2
out of courosity, is dovecot starting when you turn off selinux and not starting when you turn it on?
-
February 22nd, 2006, 11:14 PM
#3
Hi
I resolved the issue by, well, going another way:
I stopped using the shadow-authentication mechanism
and switched to PAM (this is a test-machine anyway) by
editing /etc/sysconfig/saslauthd to MECH=pam.
It seems that the SELinux policies are written for PAM "only"
(which makes sense). However, I am still puzzled about the
above audit error message.
out of courosity, is dovecot starting when you turn off selinux and not starting when you turn it on?
No. Dovecot is starting fine in any case (I didn't say so explicitly
but the whole mail-system was working fine). The most likely cause for
dovecot not starting (I know this by experience ) is the access
to the mbox-file (or whatever one has configured). If there are
problems, one might check the file_context file (don't forget to update
the filesystem after modification).
Cheers
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
February 23rd, 2006, 02:23 AM
#4
Well noted sec_ware, and I have to say that is one elusive error message you were reporting. Im toying around with a FC4 test server my self but
disabled SELinux from the get go to avoid overcomplications from the get go, since a past install ended with issues that made my eyes bleed from searching for answers.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|