[DSE-Dev] Bug#690225: selinux-policy-default: dovecot cannot authenticate when selinux enforcing

David Waring debian.bugs at ribenakid.me.uk
Thu Oct 11 11:19:24 UTC 2012 

Package: selinux-policy-default
Version: 2:2.20110726-9
Severity: important

Dear Maintainer,

   * What led up to the situation?
Trying to use IMAP mail with dovecot while system was in selinux enforcing mode.

   * What exactly did you do (or not do) that was effective (or ineffective)?
User login to dovecot IMAP server with "setenforce 0" and "setenforce 1".

   * What was the outcome of this action?
Login was denied despite the username and password being correct when enforcing was active.

audit.log indicated that the /usr/lib/dovecot/auth executable was denied access to shadow.

Added fcontext for:
/usr/lib/dovecot/auth                              regular file       system_u:object_r:dovecot_auth_exec_t:s0
/usr/lib/dovecot/dovecot-lda                       regular file       system_u:object_r:lda_exec_t:s0
/usr/lib/dovecot/libdovecot.*\.so.*                regular file       system_u:object_r:lib_t:s0

...and "restorecon -rv /usr/lib/dovecot" fixed the issue. 

   * What outcome did you expect instead?
Login to IMAP server should work when selinux in enforcing mode.

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-2-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7
ii  libselinux1      2.1.9-2
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-1
ii  python           2.7.2-10

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-2

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local changed:
/usr/lib/dovecot/auth -- system_u:object_r:dovecot_auth_exec_t:s0
/usr/lib/dovecot/dovecot-lda -- system_u:object_r:lda_exec_t:s0
/usr/lib/dovecot/libdovecot.*\.so.* -- system_u:object_r:lib_t:s0


-- no debconf information

More information about the SELinux-devel mailing list