Package: selinux-policy-refpolicy-targeted
Version: 0.0.20061018-2
Severity: normal
The targeted refpolicy has a number of issues that prevent courier's IMAP and
SSL servers from working:
* courier.fc specifies labelling for most of courier's files, but virtually
all of these have the "--" constraint which makes them apply only to
(regular) files. This means that /var/run/courier/authdaemon doesn't get
labelled, and hence when the authdaemon socket is created therein, it has
the type var_run_t. The other courier components aren't allowed to read
var_run_t (they have courier_var_run_t instead), so authentication breaks.
Removing the -- from this line in courier.fc seems to fix it:
/var/run/courier(/.*)? --
gen_context(system_u:object_r:courier_var_run_t,s0)
* courier.fc also has a specific label the authdaemon executables, whose path
expression /usr/lib(64)?/courier/authlib/.* doesn't match the Debian
packages; the correct pattern for Debian's paths would be
/usr/lib(64)?/courier/courier-authlib/.* . This leaves authdaemon running
in initrc_t or something equally unhelpful. Changing this line in
courier.fc takes care of it:
- /usr/lib(64)?/courier/authlib/.* --
gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+ /usr/lib(64)?/courier/(courier-)?authlib/.* --
gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
* The POP & IMAP servers still can't connect to authdaemon, because they're in
courier_pop_t while authdaemon is in courier_authdaemon_t (with the above
fix). The fc gives courier_pop_t read/write permissions on
courier_authdaemon_t:tcp_socket, but authdaemon listens on a UNIX domain
socket; I'm not entirely sure it _can_ listen for TCP. This policy seems
to fix it, although adding another line in upstream's courier.te allowing
the same access from courier_pop_t to courier_authdaemon_t:unix_stream_socket
that's now permitted on tcp_socket would probably be preferable.
allow courier_pop_t courier_authdaemon_t:unix_stream_socket { connectto read
write };
* authdaemon doesn't work in itself, because although it can connect to its
own UNIX domain socket, it can't accept connections or do anything else with
them. Um, yeah. This fixes it for me:
- allow courier_authdaemon_t self:unix_stream_socket connectto;
+ allow courier_authdaemon_t self:unix_stream_socket { connectto listen accept
read write };
* courier-imap-ssl (and probably the SSL POP daemon also, but I didn't try
that one) use an SSL session cache in /var/lib/courier/; it's created by
the first writer. However, because the fc only labels files, the directory
itself stays labelled as var_lib_t and the cache can't be created (and if it
could, it would have the wrong type.) Here's the offending line; removing
the "--" and relabelling fixes this one:
/var/lib/courier(/.*)? --
gen_context(system_u:object_r:courier_var_lib_t,s0)
* Once connected, the IMAP server can't setuid/setgid to the proper account,
if so specified by the userdb, because it hasn't been granted either of
those capabilities. courier_pcp_t (that's a C) can, but courier_pop_t
can't. Hence:
allow courier_pop_t self:capability { setgid setuid };
* The IMAP server also can't read symlinks in user_home_t. These are often
placed inside a Maildir to expose another maildir/mbox as a subfolder. This
restores that ability, to no significant loss of security I can see on the
face of it:
allow courier_pop_t user_home_t:lnk_file read;
* Finally, courier-imap has sometime recently started using fam to watch for
changes in the Maildir. This involves going through portmap, connecting to
arbitrary ports to talk to famd, etc. Bleh. It's optional, and if the
attempt fails it will poll the directory instead, but it makes a fair
amount of noise in the logs (the attempt is repeated on every write to
the maildir)
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages selinux-policy-refpolicy-targeted depends on:
ii libpam-modules 0.79-4 Pluggable Authentication Modules f
ii libselinux1 1.32-3 SELinux shared libraries
ii policycoreutils 1.32-1 SELinux core policy utilities
ii python 2.4.4-2 An interactive high-level object-o
Versions of packages selinux-policy-refpolicy-targeted recommends:
ii checkpolicy 1.32-1 SELinux policy compiler
pn setools <none> (no description available)
-- debconf-show failed
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
