Package: selinux-policy-refpolicy-targeted Version: 0.0.20061018-2 Severity: normal
The targeted refpolicy has a number of issues that prevent courier's IMAP and SSL servers from working: * courier.fc specifies labelling for most of courier's files, but virtually all of these have the "--" constraint which makes them apply only to (regular) files. This means that /var/run/courier/authdaemon doesn't get labelled, and hence when the authdaemon socket is created therein, it has the type var_run_t. The other courier components aren't allowed to read var_run_t (they have courier_var_run_t instead), so authentication breaks. Removing the -- from this line in courier.fc seems to fix it: /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) * courier.fc also has a specific label the authdaemon executables, whose path expression /usr/lib(64)?/courier/authlib/.* doesn't match the Debian packages; the correct pattern for Debian's paths would be /usr/lib(64)?/courier/courier-authlib/.* . This leaves authdaemon running in initrc_t or something equally unhelpful. Changing this line in courier.fc takes care of it: - /usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + /usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) * The POP & IMAP servers still can't connect to authdaemon, because they're in courier_pop_t while authdaemon is in courier_authdaemon_t (with the above fix). The fc gives courier_pop_t read/write permissions on courier_authdaemon_t:tcp_socket, but authdaemon listens on a UNIX domain socket; I'm not entirely sure it _can_ listen for TCP. This policy seems to fix it, although adding another line in upstream's courier.te allowing the same access from courier_pop_t to courier_authdaemon_t:unix_stream_socket that's now permitted on tcp_socket would probably be preferable. allow courier_pop_t courier_authdaemon_t:unix_stream_socket { connectto read write }; * authdaemon doesn't work in itself, because although it can connect to its own UNIX domain socket, it can't accept connections or do anything else with them. Um, yeah. This fixes it for me: - allow courier_authdaemon_t self:unix_stream_socket connectto; + allow courier_authdaemon_t self:unix_stream_socket { connectto listen accept read write }; * courier-imap-ssl (and probably the SSL POP daemon also, but I didn't try that one) use an SSL session cache in /var/lib/courier/; it's created by the first writer. However, because the fc only labels files, the directory itself stays labelled as var_lib_t and the cache can't be created (and if it could, it would have the wrong type.) Here's the offending line; removing the "--" and relabelling fixes this one: /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) * Once connected, the IMAP server can't setuid/setgid to the proper account, if so specified by the userdb, because it hasn't been granted either of those capabilities. courier_pcp_t (that's a C) can, but courier_pop_t can't. Hence: allow courier_pop_t self:capability { setgid setuid }; * The IMAP server also can't read symlinks in user_home_t. These are often placed inside a Maildir to expose another maildir/mbox as a subfolder. This restores that ability, to no significant loss of security I can see on the face of it: allow courier_pop_t user_home_t:lnk_file read; * Finally, courier-imap has sometime recently started using fam to watch for changes in the Maildir. This involves going through portmap, connecting to arbitrary ports to talk to famd, etc. Bleh. It's optional, and if the attempt fails it will poll the directory instead, but it makes a fair amount of noise in the logs (the attempt is repeated on every write to the maildir) -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages selinux-policy-refpolicy-targeted depends on: ii libpam-modules 0.79-4 Pluggable Authentication Modules f ii libselinux1 1.32-3 SELinux shared libraries ii policycoreutils 1.32-1 SELinux core policy utilities ii python 2.4.4-2 An interactive high-level object-o Versions of packages selinux-policy-refpolicy-targeted recommends: ii checkpolicy 1.32-1 SELinux policy compiler pn setools <none> (no description available) -- debconf-show failed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]