SELinux and saslauthd
Results 1 to 4 of 4

Thread: SELinux and saslauthd

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    557

    SELinux and saslauthd

    Hi


    I am puzzled with a particular SELinux policy configuration,
    concerning saslauthd.

    OS: Fedora Core 4.0 (2.6.11-1.1369_FC4smp)
    Kernel-Ext: SELinux (Policy: 1.27.1)



    I am running postfix, authentication enabled via saslauthd.
    The smtp-setup works fine if I disable the policy (targeted)
    using
    Code:
    # setenforce 0

    If I enable the policy
    Code:
    # setenforce 1
    authentication fails and I get the following error message:

    Code:
    type=AVC msg=audit(...:15424395): avc:  denied  { create } for  pid=6819 comm="saslauthd" scontext=root:system_r:saslauthd_t tcontext=root:system_r:saslauthd_t tclass=unix_dgram_socket
    type=SYSCALL msg=audit(...:15424395): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfd7c5f0 a2=235ff4 a3=82e0634 items=0 pid=6819 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="saslauthd" exe="/usr/sbin/saslauthd"
    type=SOCKETCALL msg=audit(...:15424395): nargs=3 a0=1 a1=2 a2=0
    However, if I check saslauthd.te, the creation of a unix_dgram_socket should be allowed
    Code:
    auditallow saslauthd_t self:unix_dgram_socket create_socket_perms;
    (I modified the original file with auditallow).


    Obviously, there is something I do not understand. Any hints/ideas?

    Thanks &
    Cheers
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  2. #2
    Banned
    Join Date
    Jul 2004
    Posts
    297
    out of courosity, is dovecot starting when you turn off selinux and not starting when you turn it on?

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    I resolved the issue by, well, going another way:

    I stopped using the shadow-authentication mechanism
    and switched to PAM (this is a test-machine anyway) by
    editing /etc/sysconfig/saslauthd to MECH=pam.

    It seems that the SELinux policies are written for PAM "only"
    (which makes sense). However, I am still puzzled about the
    above audit error message.

    out of courosity, is dovecot starting when you turn off selinux and not starting when you turn it on?
    No. Dovecot is starting fine in any case (I didn't say so explicitly
    but the whole mail-system was working fine). The most likely cause for
    dovecot not starting (I know this by experience ) is the access
    to the mbox-file (or whatever one has configured). If there are
    problems, one might check the file_context file (don't forget to update
    the filesystem after modification).

    Cheers
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  4. #4
    Banned
    Join Date
    Jul 2004
    Posts
    297
    Well noted sec_ware, and I have to say that is one elusive error message you were reporting. Im toying around with a FC4 test server my self but
    disabled SELinux from the get go to avoid overcomplications from the get go, since a past install ended with issues that made my eyes bleed from searching for answers.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides