From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 30 Dec 2014 21:21:37 +0100
Subject: [refpolicy] [PATCH 4/6] Grant setuid/setgid to courier_pop_t
In-Reply-To: <1419970899-19892-1-git-send-email-sven.vermeulen@siphos.be>
References: <1419970899-19892-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1419970899-19892-5-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:

Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted

In the audit logs, the following shows up:

type=AVC msg=audit(1419968456.850:190): avc:  denied  { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

type=AVC msg=audit(1419968532.622:192): avc:  denied  { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

The daemon wants to switch user to access the necessary maildir's.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/courier.te b/courier.te
index 07752c2..6082d5c 100644
--- a/courier.te
+++ b/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
+allow courier_pop_t self:capability { setgid setuid };
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
-- 
2.0.5