From: dac.override@gmail.com (Dominick Grift) Date: Tue, 30 Dec 2014 21:47:57 +0100 Subject: [refpolicy] [PATCH 2/6] Locate authdaemon socket and communicate with authdaemon In-Reply-To: <1419970899-19892-3-git-send-email-sven.vermeulen@siphos.be> References: <1419970899-19892-1-git-send-email-sven.vermeulen@siphos.be> <1419970899-19892-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <20141230204747.GB12724@bigboy.network2> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Dec 30, 2014 at 09:21:35PM +0100, Sven Vermeulen wrote: > Without this, authentication fails. The following is shown in the logs: > > Dec 30 19:36:54 localhost imapd: Connection, ip=[::ffff:192.168.100.152] > Dec 30 19:36:54 localhost imapd: authdaemon: s_connect() failed: Permission denied > Dec 30 19:36:54 localhost imapd: LOGIN FAILED, user=root, ip=[::ffff:192.168.100.152] > Dec 30 19:36:54 localhost imapd: authentication error: Permission denied > > Through logon, the daemon (courier_pop_t) wants to locate the socket in > /var/lib/courier to initiate communication with the authdaemon. > > Signed-off-by: Sven Vermeulen > --- > courier.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/courier.te b/courier.te > index 112a60b..c4ab936 100644 > --- a/courier.te > +++ b/courier.te > @@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s > > allow courier_pop_t courier_var_lib_t:file { read write }; > > +stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t) Could you explain what a sock file with type courier_var_run_t is doing in a directory with type courier_var_lib_t? I suspect that above should probably instead be "stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t courier_authdaemon_t)" If my assumption is wrong then please explain why > + > domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) > > miscfiles_read_localization(courier_pop_t) > -- > 2.0.5 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141230/59154518/attachment.bin