Small updates to courier policy in order to have the Courier IMAPd work with the policy.
Sven Vermeulen (6):
Courier TCPd startup creates imapd.pid.lock and imapd.lock
Locate authdaemon socket and communicate with authdaemon
Allow authdaemon to access selinux fs to check SELinux state
Grant setuid/setgid to courier_pop_t
Execute courier helper script after authentication
Courier IMAP needs to manage the users' maildir
courier.te | 11 +++++++++++
1 file changed, 11 insertions(+)
--
2.0.5
Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.te b/courier.te
index ae3bc70..112a60b 100644
--- a/courier.te
+++ b/courier.te
@@ -172,6 +172,8 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
+files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
+
miscfiles_read_localization(courier_tcpd_t)
########################################
--
2.0.5
Without this, authentication fails. The following is shown in the logs:
Dec 30 19:36:54 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authdaemon: s_connect() failed: Permission denied
Dec 30 19:36:54 localhost imapd: LOGIN FAILED, user=root, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authentication error: Permission denied
Through logon, the daemon (courier_pop_t) wants to locate the socket in
/var/lib/courier to initiate communication with the authdaemon.
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.te b/courier.te
index 112a60b..c4ab936 100644
--- a/courier.te
+++ b/courier.te
@@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
allow courier_pop_t courier_var_lib_t:file { read write };
+stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
+
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
miscfiles_read_localization(courier_pop_t)
--
2.0.5
When attempting to authenticate, the PAM module checks if SELinux is
enabled (pam_unix, in order to verify if the chkpwd helper utility needs
to be called). If it fails to check the SELinux state, then authdaemon
will try to access shadow directly (again, through pam_unix).
This only occurs when a user tries to log on as root (on IMAP server) as
non-root users automatically have chkpwd executed.
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.te b/courier.te
index c4ab936..07752c2 100644
--- a/courier.te
+++ b/courier.te
@@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
+selinux_getattr_fs(courier_authdaemon_t)
+
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
########################################
--
2.0.5
When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:
Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted
In the audit logs, the following shows up:
type=AVC msg=audit(1419968456.850:190): avc: denied { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
type=AVC msg=audit(1419968532.622:192): avc: denied { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
The daemon wants to switch user to access the necessary maildir's.
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/courier.te b/courier.te
index 07752c2..6082d5c 100644
--- a/courier.te
+++ b/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
# POP3/IMAP local policy
#
+allow courier_pop_t self:capability { setgid setuid };
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
--
2.0.5
After succesful authentication, the IMAP daemon will attempt to execute
a helper script called /usr/lib64/courier-imap/courier-imapd.indirect.
This helper script is to initiate the user session.
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.te b/courier.te
index 6082d5c..c06c3ad 100644
--- a/courier.te
+++ b/courier.te
@@ -144,6 +144,8 @@ stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, cour
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
+corecmd_exec_shell(courier_pop_t)
+
miscfiles_read_localization(courier_pop_t)
userdom_manage_user_home_content_files(courier_pop_t)
--
2.0.5
Without these permissions, the logon immediately terminates and the
following shows up in the logs:
Dec 30 19:45:33 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:45:33 localhost imapd: chdir .maildir: Permission denied
Dec 30 19:45:33 localhost imapd: root: Permission denied
The first denial (and many similar ones follow when granted):
type=AVC msg=audit(1419968733.163:197): avc: denied { search } for
pid=4292 comm="courier-imapd" name=".maildir" dev="vda3" ino=393221
scontext=system_u:system_r:courier_pop_t:s0
tcontext=root:object_r:mail_home_rw_t:s0 tclass=dir
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.te b/courier.te
index c06c3ad..49fa11d 100644
--- a/courier.te
+++ b/courier.te
@@ -148,6 +148,8 @@ corecmd_exec_shell(courier_pop_t)
miscfiles_read_localization(courier_pop_t)
+mta_manage_mail_home_rw_content(courier_pop_t)
+
userdom_manage_user_home_content_files(courier_pop_t)
userdom_manage_user_home_content_dirs(courier_pop_t)
--
2.0.5
On Tue, Dec 30, 2014 at 09:21:34PM +0100, Sven Vermeulen wrote:
> Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> courier.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/courier.te b/courier.te
> index ae3bc70..112a60b 100644
> --- a/courier.te
> +++ b/courier.te
> @@ -172,6 +172,8 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
> dev_read_rand(courier_tcpd_t)
> dev_read_urand(courier_tcpd_t)
>
> +files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
Then this should probably go with a file context specification for /var/run/imapd.pid.lock and /var/run/imapd.lock
Could you enclose those as part of this patch if there are none for the above locations already (i could not find them in courier.fc)
> +
> miscfiles_read_localization(courier_tcpd_t)
>
> ########################################
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141230/22ac2530/attachment.bin
On Tue, Dec 30, 2014 at 09:21:35PM +0100, Sven Vermeulen wrote:
> Without this, authentication fails. The following is shown in the logs:
>
> Dec 30 19:36:54 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
> Dec 30 19:36:54 localhost imapd: authdaemon: s_connect() failed: Permission denied
> Dec 30 19:36:54 localhost imapd: LOGIN FAILED, user=root, ip=[::ffff:192.168.100.152]
> Dec 30 19:36:54 localhost imapd: authentication error: Permission denied
>
> Through logon, the daemon (courier_pop_t) wants to locate the socket in
> /var/lib/courier to initiate communication with the authdaemon.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> courier.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/courier.te b/courier.te
> index 112a60b..c4ab936 100644
> --- a/courier.te
> +++ b/courier.te
> @@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
>
> allow courier_pop_t courier_var_lib_t:file { read write };
>
> +stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
Could you explain what a sock file with type courier_var_run_t is doing in a directory with type courier_var_lib_t?
I suspect that above should probably instead be "stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t courier_authdaemon_t)"
If my assumption is wrong then please explain why
> +
> domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
>
> miscfiles_read_localization(courier_pop_t)
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141230/59154518/attachment.bin
On Tue, Dec 30, 2014 at 09:21:39PM +0100, Sven Vermeulen wrote:
> Without these permissions, the logon immediately terminates and the
> following shows up in the logs:
>
> Dec 30 19:45:33 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
> Dec 30 19:45:33 localhost imapd: chdir .maildir: Permission denied
> Dec 30 19:45:33 localhost imapd: root: Permission denied
>
> The first denial (and many similar ones follow when granted):
>
> type=AVC msg=audit(1419968733.163:197): avc: denied { search } for
> pid=4292 comm="courier-imapd" name=".maildir" dev="vda3" ino=393221
> scontext=system_u:system_r:courier_pop_t:s0
> tcontext=root:object_r:mail_home_rw_t:s0 tclass=dir
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> courier.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/courier.te b/courier.te
> index c06c3ad..49fa11d 100644
> --- a/courier.te
> +++ b/courier.te
> @@ -148,6 +148,8 @@ corecmd_exec_shell(courier_pop_t)
>
> miscfiles_read_localization(courier_pop_t)
>
> +mta_manage_mail_home_rw_content(courier_pop_t)
> +
Should this go together with a "mta_home_filetrans_mail_home(courier_pop_t, dir, ".maildir")", i.e. should courier-imapd be able to create that directory if it does not already exist?
> userdom_manage_user_home_content_files(courier_pop_t)
> userdom_manage_user_home_content_dirs(courier_pop_t)
>
The above may, or may not, be redundant now that we have a .maildir with a private type
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141230/f8a76373/attachment-0001.bin
On Tue, Dec 30, 2014 at 09:47:57PM +0100, Dominick Grift wrote:
> > diff --git a/courier.te b/courier.te
> > index 112a60b..c4ab936 100644
> > --- a/courier.te
> > +++ b/courier.te
> > @@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
> >
> > allow courier_pop_t courier_var_lib_t:file { read write };
> >
> > +stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
>
> Could you explain what a sock file with type courier_var_run_t is doing in a directory with type courier_var_lib_t?
>
> I suspect that above should probably instead be "stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t courier_authdaemon_t)"
> If my assumption is wrong then please explain why
Good catch. Indeed, I had a stale courier_var_run_t laying around in an
attempt for reconfiguring the daemons to use /var/run/courier instead of
/var/lib/courier for the socket. But I failed miserably and I don't know why
- it continues to make the socket in /var/lib/courier.
I reset the contexts of /var/lib completely and can confirm that
courier_var_lib_t is what is needed. I'll update the patch to this.
Wkr,
Sven Vermeulen
On Tue, Dec 30, 2014 at 09:54:21PM +0100, Dominick Grift wrote:
> > diff --git a/courier.te b/courier.te
> > index c06c3ad..49fa11d 100644
> > --- a/courier.te
> > +++ b/courier.te
> > @@ -148,6 +148,8 @@ corecmd_exec_shell(courier_pop_t)
> >
> > miscfiles_read_localization(courier_pop_t)
> >
> > +mta_manage_mail_home_rw_content(courier_pop_t)
> > +
>
> Should this go together with a "mta_home_filetrans_mail_home(courier_pop_t, dir, ".maildir")", i.e. should courier-imapd be able to create that directory if it does not already exist?
Not here at least. The daemon does not try to create the .maildir - it
expects that it is already there. Without the directory available, the login
fails and in the logs the following is shown:
Dec 31 15:57:06 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 31 15:57:06 localhost imapd: chdir .maildir: No such file or directory
Dec 31 15:57:06 localhost imapd: root: No such file or directory
There are no denials (even with dontaudits disabled) that show that it
tries to create it. So the admin needs to create it using the maildirmake
application (also provided through the courier-imap package).
> > userdom_manage_user_home_content_files(courier_pop_t)
> > userdom_manage_user_home_content_dirs(courier_pop_t)
> >
>
> The above may, or may not, be redundant now that we have a .maildir with a private type
Indeed, at least it is not necessary on my test system anymore. I'll remove
it with the patch as well.
Wkr,
Sven Vermeulen