Small updates to courier policy in order to have the Courier IMAPd work with the policy.
Changes since v1:
- add file contexts for imapd.pid and imapd.pid.lock
- use courier_var_lib_t in stream_connect pattern
- drop user content access for courier now that there is mail_home_rw_t access
Sven Vermeulen (6):
Courier TCPd startup creates imapd.pid.lock and imapd.lock
Locate authdaemon socket and communicate with authdaemon
Allow authdaemon to access selinux fs to check SELinux state
Grant setuid/setgid to courier_pop_t
Execute courier helper script after authentication
Courier IMAP needs to manage the users' maildir
courier.fc | 2 ++
courier.te | 12 ++++++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
--
2.0.5
Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.fc | 2 ++
courier.te | 2 ++
2 files changed, 4 insertions(+)
diff --git a/courier.fc b/courier.fc
index 2f017a0..abdc37e 100644
--- a/courier.fc
+++ b/courier.fc
@@ -27,6 +27,8 @@
/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0)
+/var/run/imapd\.pid -- gen_context(system_u:object_r:courier_var_run_t,s0)
+/var/run/imapd\.pid\.lock -- gen_context(system_u:object_r:courier_var_run_t,s0)
/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/courier.te b/courier.te
index ae3bc70..112a60b 100644
--- a/courier.te
+++ b/courier.te
@@ -172,6 +172,8 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
+files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
+
miscfiles_read_localization(courier_tcpd_t)
########################################
--
2.0.5
Without this, authentication fails. The following is shown in the logs:
Dec 30 19:36:54 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authdaemon: s_connect() failed: Permission denied
Dec 30 19:36:54 localhost imapd: LOGIN FAILED, user=root, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authentication error: Permission denied
Through logon, the daemon (courier_pop_t) wants to locate the socket in
/var/lib/courier to initiate communication with the authdaemon.
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.te b/courier.te
index 112a60b..b12dd7f 100644
--- a/courier.te
+++ b/courier.te
@@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
allow courier_pop_t courier_var_lib_t:file { read write };
+stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
+
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
miscfiles_read_localization(courier_pop_t)
--
2.0.5
When attempting to authenticate, the PAM module checks if SELinux is
enabled (pam_unix, in order to verify if the chkpwd helper utility needs
to be called). If it fails to check the SELinux state, then authdaemon
will try to access shadow directly (again, through pam_unix).
This only occurs when a user tries to log on as root (on IMAP server) as
non-root users automatically have chkpwd executed.
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.te b/courier.te
index b12dd7f..b46eada 100644
--- a/courier.te
+++ b/courier.te
@@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
+selinux_getattr_fs(courier_authdaemon_t)
+
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
########################################
--
2.0.5
When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:
Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted
In the audit logs, the following shows up:
type=AVC msg=audit(1419968456.850:190): avc: denied { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
type=AVC msg=audit(1419968532.622:192): avc: denied { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
The daemon wants to switch user to access the necessary maildir's.
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/courier.te b/courier.te
index b46eada..7967fc6 100644
--- a/courier.te
+++ b/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
# POP3/IMAP local policy
#
+allow courier_pop_t self:capability { setgid setuid };
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
--
2.0.5
After succesful authentication, the IMAP daemon will attempt to execute
a helper script called /usr/lib64/courier-imap/courier-imapd.indirect.
This helper script is to initiate the user session.
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/courier.te b/courier.te
index 7967fc6..6053939 100644
--- a/courier.te
+++ b/courier.te
@@ -144,6 +144,8 @@ stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, cour
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
+corecmd_exec_shell(courier_pop_t)
+
miscfiles_read_localization(courier_pop_t)
userdom_manage_user_home_content_files(courier_pop_t)
--
2.0.5
Without these permissions, the logon immediately terminates and the
following shows up in the logs:
Dec 30 19:45:33 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:45:33 localhost imapd: chdir .maildir: Permission denied
Dec 30 19:45:33 localhost imapd: root: Permission denied
The first denial (and many similar ones follow when granted):
type=AVC msg=audit(1419968733.163:197): avc: denied { search } for
pid=4292 comm="courier-imapd" name=".maildir" dev="vda3" ino=393221
scontext=system_u:system_r:courier_pop_t:s0
tcontext=root:object_r:mail_home_rw_t:s0 tclass=dir
Signed-off-by: Sven Vermeulen <[email protected]>
---
courier.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/courier.te b/courier.te
index 6053939..91c0ee8 100644
--- a/courier.te
+++ b/courier.te
@@ -148,8 +148,7 @@ corecmd_exec_shell(courier_pop_t)
miscfiles_read_localization(courier_pop_t)
-userdom_manage_user_home_content_files(courier_pop_t)
-userdom_manage_user_home_content_dirs(courier_pop_t)
+mta_manage_mail_home_rw_content(courier_pop_t)
########################################
#
--
2.0.5
On Wed, Dec 31, 2014 at 05:09:52PM +0100, Sven Vermeulen wrote:
> Small updates to courier policy in order to have the Courier IMAPd work with the policy.
There is an issue with the tresys mail list. It does not relay all messages
This one did not make it to you i suspect:
http://oss.tresys.com/pipermail/refpolicy/2014-December/007541.html
>
> Changes since v1:
> - add file contexts for imapd.pid and imapd.pid.lock
> - use courier_var_lib_t in stream_connect pattern
> - drop user content access for courier now that there is mail_home_rw_t access
>
> Sven Vermeulen (6):
> Courier TCPd startup creates imapd.pid.lock and imapd.lock
> Locate authdaemon socket and communicate with authdaemon
> Allow authdaemon to access selinux fs to check SELinux state
> Grant setuid/setgid to courier_pop_t
> Execute courier helper script after authentication
> Courier IMAP needs to manage the users' maildir
>
> courier.fc | 2 ++
> courier.te | 12 ++++++++++--
> 2 files changed, 12 insertions(+), 2 deletions(-)
>
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141231/b7d069a8/attachment-0001.bin
On Wed, Dec 31, 2014 at 05:09:53PM +0100, Sven Vermeulen wrote:
> Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> courier.fc | 2 ++
> courier.te | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/courier.fc b/courier.fc
> index 2f017a0..abdc37e 100644
> --- a/courier.fc
> +++ b/courier.fc
> @@ -27,6 +27,8 @@
> /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
>
> /var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0)
> +/var/run/imapd\.pid -- gen_context(system_u:object_r:courier_var_run_t,s0)
This conflicts with uwimap pid file context specification
Not sure how to deal with this, but i would prefer:
Did you build with: --with-piddir=dir - use dir/imapd.pid to store couriertcpd's process ID.
Probably better to set --with-piddir=/var/run/courier
That will make this patch redundant
> +/var/run/imapd\.pid\.lock -- gen_context(system_u:object_r:courier_var_run_t,s0)
>
> /var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
> /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
> diff --git a/courier.te b/courier.te
> index ae3bc70..112a60b 100644
> --- a/courier.te
> +++ b/courier.te
> @@ -172,6 +172,8 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
> dev_read_rand(courier_tcpd_t)
> dev_read_urand(courier_tcpd_t)
>
> +files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
> +
> miscfiles_read_localization(courier_tcpd_t)
>
> ########################################
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150101/26b55a01/attachment.bin
On Wed, Dec 31, 2014 at 05:09:52PM +0100, Sven Vermeulen wrote:
> Small updates to courier policy in order to have the Courier IMAPd work with the policy.
Thanks. This set was merged except for patch 1/6 because it is redundant when you build courier with "with-piddir=/var/run/courier/"
If you don't then /var/run/imapd.pid conflicts uwimaps' /var/run/imapd.pid
>
> Changes since v1:
> - add file contexts for imapd.pid and imapd.pid.lock
> - use courier_var_lib_t in stream_connect pattern
> - drop user content access for courier now that there is mail_home_rw_t access
>
> Sven Vermeulen (6):
> Courier TCPd startup creates imapd.pid.lock and imapd.lock
> Locate authdaemon socket and communicate with authdaemon
> Allow authdaemon to access selinux fs to check SELinux state
> Grant setuid/setgid to courier_pop_t
> Execute courier helper script after authentication
> Courier IMAP needs to manage the users' maildir
>
> courier.fc | 2 ++
> courier.te | 12 ++++++++++--
> 2 files changed, 12 insertions(+), 2 deletions(-)
>
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150101/e6f7c6e6/attachment.bin