Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[John Lindgren <nwaero@xxxxxxxxxxxxxxxxxx>]

I defined the other permissions in local.te so that it would compile and 
then installed local.pp. Switching to setenforce 1 dovecot logins with 
pam now WORK!... as far as I can tell. ;)

Will upgrade to the new policy later tonight.

Should I then remove the local.pp I just compiled and see what messages 
I get?

John

Daniel J Walsh wrote:
> John Lindgren wrote:
>
> > Hello Stephan,
> >
> > # rpm -qa | grep policy
> > selinux-policy-devel-2.6.4-8.fc7
> > checkpolicy-2.0.2-1.fc7
> > selinux-policy-targeted-2.6.4-8.fc7
> > selinux-policy-2.6.4-8.fc7
> > policycoreutils-2.0.16-2.fc7
> >
> > # cat local.te
> >
> > module local 1.0;
> >
> > require {
> >         type dovecot_auth_t;
> >         class capability audit_write;
> >         class netlink_audit_socket { write nlmsg_relay create read };
> > }
> >
> > #============= dovecot_auth_t ==============
> > logging_send_audit_msg(dovecot_auth_t);
> >
> >
> > # make -f /usr/share/selinux/devel/Makefile
> > Compiling targeted local module
> > /usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
> > local.te:11:ERROR 'permission ioctl is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission getattr is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission setattr is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission append is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission bind is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission connect is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission getopt is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission setopt is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission shutdown is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > local.te:11:ERROR 'permission nlmsg_read is not defined for class 
> > netlink_audit_socket' at token ';' on line 80631:
> >         allow dovecot_auth_t self:netlink_audit_socket { { create { 
> > ioctl read getattr write setattr append bind connect getopt setopt 
> > shutdown } } nlmsg_read nlmsg_relay };
> > #line 11
> > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > make: *** [tmp/local.mod] Error 1
> >
> >
> > But besides that, is the problem dovecot_auth failing or is it pam 
> > failing? With dovecot in debug mode, and selinux enabled so that pop 
> > logins through pam will fail, here are some logs of a failed login:
> >
> > # cat /var/log/maillog | grep dovecot
> > Jun  5 12:48:07 post dovecot: auth(default): client in: CONT    1 
> > AGpvaG5ueQBxd2VdW3A=
> > Jun  5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): 
> > lookup service=dovecot
> > Jun  5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): 
> > pam_authenticate() failed: System error
> > Jun  5 12:48:09 post dovecot: auth(default): client out: FAIL   1 
> > user=johnny
> >
> >
> > # cat /var/log/secure
> > Jun  5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission 
> > denied
> >
> >
> > # cat /var/log/audit/audit.log
> > type=AVC msg=audit(1181073390.217:27910): avc:  denied  { create } for 
> > pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 
> > tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> > type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 
> > syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 
> > items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> > egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" 
> > exe="/usr/libexec/dovecot/dovecot-auth" 
> > subj=root:system_r:dovecot_auth_t:s0 key=(null)
> > type=AVC msg=audit(1181073390.217:27911): avc:  denied  { write } for 
> > pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 
> > tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> > type=AVC msg=audit(1181073390.217:27911): avc:  denied  { nlmsg_relay 
> > } for  pid=9030 comm="dovecot-auth" 
> > scontext=root:system_r:dovecot_auth_t:s0 tcontext=root 
> > :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH 
> > msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= 
> > root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : 
> > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, 
> > addr=71.113.46.17, terminal=dovecot res=success)'
> > type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 
> > syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 
> > a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" 
> > exe="/usr/libexec/dovecot/dovecot-auth" 
> > subj=root:system_r:dovecot_auth_t:s0 key=(null)
> > type=AVC msg=audit(1181073390.217:27913): avc:  denied  { read } for 
> > pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 
> > tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> > type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 
> > syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e 
> > items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> > egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" 
> > exe="/usr/libexec/dovecot/dovecot-auth" 
> > subj=root:system_r:dovecot_auth_t:s0 key=(null)
> > type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 
> > auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting 
> > acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" 
> > (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)'
> >
> > Here's a successful one with selinux in permissive:
> >
> > # cat /var/log/audit/audit.log
> > type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 
> > auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication 
> > acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" 
> > (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot 
> > res=success)'
> > type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 
> > auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting 
> > acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" 
> > (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot 
> > res=success)'
> >
> > What next?
> >
> > John
> >
> > Stephen Smalley wrote:
> >
> > > On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:
> > >
> > > > Hi,
> > > > New to this list, not totally new to selinux.
> > > >
> > > > Running F7 with everything current (06/04/2007), policy is 
> > > > selinux-policy-targeted-2.6.4-8.fc7.
> > > >
> > > > cat /var/log/audit/audit.log:
> > > > type=AVC msg=audit(1181003986.020:18662): avc:  denied  { 
> > > > audit_write } for  pid=13774 comm="dovecot-auth" capability=29 
> > > > scontext=root:system_r:dovecot_auth_t:s0 
> > > > tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
> > > >
> > > > type=AVC msg=audit(1181003859.499:18627): avc:  denied  { create } 
> > > > for pid=1352 0 comm="dovecot-auth" 
> > > > scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys 
> > > > tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> > > >
> > > >
> > > > cat /var/log/audit/audit.log | audit2allow -M local:
> > > >
> > > >
> > > > cat local.te:
> > > > module local 1.0;
> > > >
> > > > require {
> > > >         type dovecot_auth_t;
> > > >         class capability audit_write;
> > > >         class netlink_audit_socket { write nlmsg_relay create read };
> > > > }
> > > >
> > > > #============= dovecot_auth_t ==============
> > > > allow dovecot_auth_t self:capability audit_write;
> > > > allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay 
> > > > create read };
> > > >
> > > >
> > > > semodule -i local.pp:
> > > > libsepol.check_assertion_helper: assertion on line 0 violated by 
> > > > allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { 
> > > > nlmsg_relay };
> > > > libsepol.check_assertion_helper: assertion on line 0 violated by 
> > > > allow dovecot_auth_t dovecot_auth_t:capability { audit_write };
> > > > libsepol.check_assertions: 2 assertion violations occured
> > > > libsemanage.semanage_expand_sandbox: Expand module failed
> > > > semodule: Failed!
> > > >
> > > > Should I add something magical (what, I'm not sure) to the .te to 
> > > > allow this anyway? Or is there something missing from the 
> > > > distribution targeted policy? Or edit the base policy and recompile 
> > > > the whole thing? Or...
> > > >
> > > > Anyone else having this problem?
> > >
> > >
> > >
> > > The policy contains certain assertions (neverallow rules) to prevent
> > > accidental adding of allow rules that are highly security sensitive or
> > > that indicate a mistake in labeling.
> > >
> > > To override such assertions, you have to add an appropriate type
> > > attribute to the type to enable it to pass the neverallow rule.  This is
> > > usually done by using the right refpolicy interface.  In this case, that
> > > appears to be:
> > >     logging_send_audit_msg(dovecot_auth_t)
> > >
> > > So replace those two allow rules with the above interface call.
> > >
> > > Karl, any reason audit2allow didn't find that interface automatically?
> Please try selinux-policy-2.6.4-13.fc7 currently in testing and moving 
> to updates.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list