[SOLVED] Dovecot user authentication failed

lxc5089 · 06-23-2010, 04:03 AM

Hi All,

Im using CenOs 5 and have install a mail system(postfix+dovecot),
when I trying to enable selinux for enforcing mode and i'm have some issue, the user authentication failed. and the log from /var/log/audit/audit.log as below:

type=USER_AUTH msg=audit(1276507030.919:5032): user pid=31695 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct="test" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:192.168.1.1, addr=::ffff:192.168.1.1, terminal=dovecot res=failed)'

How can i to fix this problem? may you give me some advise, thanks.

unSpawn · 06-25-2010, 02:59 AM

Next time also please update your post here if you add lines overthere. From these three lines:

Code:

type=AVC msg=audit(1277423451.076:6825): avc: denied { read } for pid=22067 comm="dovecot-auth" name="shadow" dev=dm-0 ino=85820037 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=SYSCALL msg=audit(1277423451.076:6825): arch=40000003 syscall=5 success=yes exit=14 a0=32a304 a1=0 a2=1b6 a3=9649818 items=0 ppid=2423 pid=22067 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=system_u:system_r:dovecot_auth_t:s0 key=(null)
type=AVC msg=audit(1277423451.076:6826): avc: denied { getattr } for pid=22067 comm="dovecot-auth" path="/etc/shadow" dev=dm-0 ino=85820037 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

I'm thinking you mistakingly configured /etc/shadow for user name lookups instead of /etc/passwd. (/etc/shadow is by default not accessible for unprivileged users and for good reasons. Changing permissions on the file is a mortal sin. Please research about user auth if you need to know more.) See if reconfiguring Dovecot to use PAM auth instead fixes at least the dovecot-auth lines.

lxc5089 · 06-30-2010, 09:09 AM

The problem been solved with domg472 helping.

It need to allow dovecot_auth_t to read shadow_t

mkdir ~/mydovecot; cd ~/mydovecot
echo "policy_module(mydovecot, 1.0.0)" > mydovecot.te;
echo "require { type dovecot_auth_t; }" >> mydovecot.te;
echo "auth_read_shadow(dovecot_auth_t)" >> mydovecot.te;

make -f /usr/share/selinux/devel/Makefile mydovecot.pp
sudo semodule -i mydovecot.pp