Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;)

Will upgrade to the new policy later tonight.

Should I then remove the local.pp I just compiled and see what messages I get?

John

Daniel J Walsh wrote:
John Lindgren wrote:

Hello Stephan,

# rpm -qa | grep policy
selinux-policy-devel-2.6.4-8.fc7
checkpolicy-2.0.2-1.fc7
selinux-policy-targeted-2.6.4-8.fc7
selinux-policy-2.6.4-8.fc7
policycoreutils-2.0.16-2.fc7

# cat local.te

module local 1.0;

require {
        type dovecot_auth_t;
        class capability audit_write;
        class netlink_audit_socket { write nlmsg_relay create read };
}

#============= dovecot_auth_t ==============
logging_send_audit_msg(dovecot_auth_t);


# make -f /usr/share/selinux/devel/Makefile
Compiling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
local.te:11:ERROR 'permission ioctl is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission getattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission setattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission append is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission bind is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission connect is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission getopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission setopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission shutdown is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
local.te:11:ERROR 'permission nlmsg_read is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay };
#line 11
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1


But besides that, is the problem dovecot_auth failing or is it pam failing? With dovecot in debug mode, and selinux enabled so that pop logins through pam will fail, here are some logs of a failed login:

# cat /var/log/maillog | grep dovecot
Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1 AGpvaG5ueQBxd2VdW3A= Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): lookup service=dovecot Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): pam_authenticate() failed: System error Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1 user=johnny


# cat /var/log/secure
Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission denied


# cat /var/log/audit/audit.log
type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)'

Here's a successful one with selinux in permissive:

# cat /var/log/audit/audit.log
type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)'

What next?

John

Stephen Smalley wrote:

On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:

Hi,
New to this list, not totally new to selinux.

Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7.

cat /var/log/audit/audit.log:
type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability

type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket


cat /var/log/audit/audit.log | audit2allow -M local:


cat local.te:
module local 1.0;

require {
        type dovecot_auth_t;
        class capability audit_write;
        class netlink_audit_socket { write nlmsg_relay create read };
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t self:capability audit_write;
allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };


semodule -i local.pp:
libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!

Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or...

Anyone else having this problem?



The policy contains certain assertions (neverallow rules) to prevent
accidental adding of allow rules that are highly security sensitive or
that indicate a mistake in labeling.

To override such assertions, you have to add an appropriate type
attribute to the type to enable it to pass the neverallow rule.  This is
usually done by using the right refpolicy interface.  In this case, that
appears to be:
    logging_send_audit_msg(dovecot_auth_t)

So replace those two allow rules with the above interface call.

Karl, any reason audit2allow didn't find that interface automatically?

Please try selinux-policy-2.6.4-13.fc7 currently in testing and moving to updates.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux