From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 31 Dec 2014 17:09:56 +0100
Subject: [refpolicy] [PATCH v2 4/6] Grant setuid/setgid to courier_pop_t
In-Reply-To: <1420042198-4676-1-git-send-email-sven.vermeulen@siphos.be>
References: <1420042198-4676-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1420042198-4676-5-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:

Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted

In the audit logs, the following shows up:

type=AVC msg=audit(1419968456.850:190): avc:  denied  { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

type=AVC msg=audit(1419968532.622:192): avc:  denied  { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

The daemon wants to switch user to access the necessary maildir's.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/courier.te b/courier.te
index b46eada..7967fc6 100644
--- a/courier.te
+++ b/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
+allow courier_pop_t self:capability { setgid setuid };
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
-- 
2.0.5