Package: sasl2-bin
Version: 2.1.27+dfsg-2.1+deb11u1
I have a Cyrus Murder which was installed on Buster. SASL mechanism is
set to PAM, with nsswitch configured "passwd: files systemd ldap".
The system is SELinux enabled.
After dist-upgrading to Bullseye, we had intermittent login problems,
which go away when SELinux is set to permissive. Most users login using
an LDAP account, while system users (murder, mupdate) will use a local
account.
My testing:
- restorecon -R /
- setenforce 1
- systemctl restart saslauthd
- login via LDAP succeeds
- login via local account mupdate fails
No policy violation in audit.log:
type=USER_AUTH msg=audit(1653909809.946:286388): pid=1604917 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:saslauthd_t:s0
msg='op=PAM:authentication grantors=? acct="mupdate"
exe="/usr/sbin/saslauthd" hostname=? addr=? terminal=?
res=failed'UID="root" AUID="unset"
- setenforce 0
- login via local account mupdate succeeds
audit.log:
type=USER_AUTH msg=audit(1653909900.509:286420): pid=1607198 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:saslauthd_t:s0
msg='op=PAM:authentication grantors=pam_permit acct="mupdate"
exe="/usr/sbin/saslauthd" hostname=? addr=? terminal=?
res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1653909900.509:286421): pid=1607198 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:saslauthd_t:s0
msg='op=PAM:accounting grantors=pam_permit acct="mupdate"
exe="/usr/sbin/saslauthd" hostname=? addr=? terminal=?
res=success'UID="root" AUID="unset"
- setenforce 1
- login via local account mupdate still succeeds
- systemctl restart saslauthd
- login via local account mupdate fails again.
This problem didn't exist with Buster, while using the 2.1.27+dfsg-1+deb10u1