[refpolicy] [PATCH v2 0/6] Courier IMAPd related policy changes

[refpolicy] [PATCH v2 0/6] Courier IMAPd related policy changes

[Sven Vermeulen]

Small updates to courier policy in order to have the Courier IMAPd work with the policy.

Changes since v1:
  - add file contexts for imapd.pid and imapd.pid.lock
  - use courier_var_lib_t in stream_connect pattern
  - drop user content access for courier now that there is mail_home_rw_t access

Sven Vermeulen (6):
  Courier TCPd startup creates imapd.pid.lock and imapd.lock
  Locate authdaemon socket and communicate with authdaemon
  Allow authdaemon to access selinux fs to check SELinux state
  Grant setuid/setgid to courier_pop_t
  Execute courier helper script after authentication
  Courier IMAP needs to manage the users' maildir

 courier.fc |  2 ++
 courier.te | 12 ++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

-- 
2.0.5

[refpolicy] [PATCH v2 1/6] Courier TCPd startup creates imapd.pid.lock and imapd.lock

[Sven Vermeulen]

Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.fc | 2 ++
 courier.te | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/courier.fc b/courier.fc
index 2f017a0..abdc37e 100644
--- a/courier.fc
+++ b/courier.fc
@@ -27,6 +27,8 @@
 /var/lib/courier-imap(/.*)?	gen_context(system_u:object_r:courier_var_lib_t,s0)
 
 /var/run/courier(/.*)?	gen_context(system_u:object_r:courier_var_run_t,s0)
+/var/run/imapd\.pid	--	gen_context(system_u:object_r:courier_var_run_t,s0)
+/var/run/imapd\.pid\.lock	--	gen_context(system_u:object_r:courier_var_run_t,s0)
 
 /var/spool/authdaemon(/.*)?	gen_context(system_u:object_r:courier_spool_t,s0)
 /var/spool/courier(/.*)?	gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/courier.te b/courier.te
index ae3bc70..112a60b 100644
--- a/courier.te
+++ b/courier.te
@@ -172,6 +172,8 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
 dev_read_rand(courier_tcpd_t)
 dev_read_urand(courier_tcpd_t)
 
+files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
+
 miscfiles_read_localization(courier_tcpd_t)
 
 ########################################
-- 
2.0.5

[refpolicy] [PATCH v2 2/6] Locate authdaemon socket and communicate with authdaemon

[Sven Vermeulen]

Without this, authentication fails. The following is shown in the logs:

Dec 30 19:36:54 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authdaemon: s_connect() failed: Permission denied
Dec 30 19:36:54 localhost imapd: LOGIN FAILED, user=root, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authentication error: Permission denied

Through logon, the daemon (courier_pop_t) wants to locate the socket in
/var/lib/courier to initiate communication with the authdaemon.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index 112a60b..b12dd7f 100644
--- a/courier.te
+++ b/courier.te
@@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
 
 allow courier_pop_t courier_var_lib_t:file { read write };
 
+stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
+
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
 miscfiles_read_localization(courier_pop_t)
-- 
2.0.5

[refpolicy] [PATCH v2 3/6] Allow authdaemon to access selinux fs to check SELinux state

[Sven Vermeulen]

When attempting to authenticate, the PAM module checks if SELinux is
enabled (pam_unix, in order to verify if the chkpwd helper utility needs
to be called). If it fails to check the SELinux state, then authdaemon
will try to access shadow directly (again, through pam_unix).

This only occurs when a user tries to log on as root (on IMAP server) as
non-root users automatically have chkpwd executed.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index b12dd7f..b46eada 100644
--- a/courier.te
+++ b/courier.te
@@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t)
 
 miscfiles_read_localization(courier_authdaemon_t)
 
+selinux_getattr_fs(courier_authdaemon_t)
+
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
 ########################################
-- 
2.0.5

[refpolicy] [PATCH v2 4/6] Grant setuid/setgid to courier_pop_t

[Sven Vermeulen]

When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:

Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted

In the audit logs, the following shows up:

type=AVC msg=audit(1419968456.850:190): avc:  denied  { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

type=AVC msg=audit(1419968532.622:192): avc:  denied  { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

The daemon wants to switch user to access the necessary maildir's.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/courier.te b/courier.te
index b46eada..7967fc6 100644
--- a/courier.te
+++ b/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
+allow courier_pop_t self:capability { setgid setuid };
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
-- 
2.0.5

[refpolicy] [PATCH v2 5/6] Execute courier helper script after authentication

[Sven Vermeulen]

After succesful authentication, the IMAP daemon will attempt to execute
a helper script called /usr/lib64/courier-imap/courier-imapd.indirect.
This helper script is to initiate the user session.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index 7967fc6..6053939 100644
--- a/courier.te
+++ b/courier.te
@@ -144,6 +144,8 @@ stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, cour
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
+corecmd_exec_shell(courier_pop_t)
+
 miscfiles_read_localization(courier_pop_t)
 
 userdom_manage_user_home_content_files(courier_pop_t)
-- 
2.0.5

[refpolicy] [PATCH v2 6/6] Courier IMAP needs to manage the users' maildir

[Sven Vermeulen]

Without these permissions, the logon immediately terminates and the
following shows up in the logs:

Dec 30 19:45:33 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:45:33 localhost imapd: chdir .maildir: Permission denied
Dec 30 19:45:33 localhost imapd: root: Permission denied

The first denial (and many similar ones follow when granted):

type=AVC msg=audit(1419968733.163:197): avc:  denied  { search } for
pid=4292 comm="courier-imapd" name=".maildir" dev="vda3" ino=393221
scontext=system_u:system_r:courier_pop_t:s0
tcontext=root:object_r:mail_home_rw_t:s0 tclass=dir

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/courier.te b/courier.te
index 6053939..91c0ee8 100644
--- a/courier.te
+++ b/courier.te
@@ -148,8 +148,7 @@ corecmd_exec_shell(courier_pop_t)
 
 miscfiles_read_localization(courier_pop_t)
 
-userdom_manage_user_home_content_files(courier_pop_t)
-userdom_manage_user_home_content_dirs(courier_pop_t)
+mta_manage_mail_home_rw_content(courier_pop_t)
 
 ########################################
 #
-- 
2.0.5

[refpolicy] [PATCH v2 0/6] Courier IMAPd related policy changes

[Dominick Grift]

On Wed, Dec 31, 2014 at 05:09:52PM +0100, Sven Vermeulen wrote:
> Small updates to courier policy in order to have the Courier IMAPd work with the policy.

There is an issue with the tresys mail list. It does not relay all messages

This one did not make it to you i suspect:

http://oss.tresys.com/pipermail/refpolicy/2014-December/007541.html


> 
> Changes since v1:
>   - add file contexts for imapd.pid and imapd.pid.lock
>   - use courier_var_lib_t in stream_connect pattern
>   - drop user content access for courier now that there is mail_home_rw_t access
> 
> Sven Vermeulen (6):
>   Courier TCPd startup creates imapd.pid.lock and imapd.lock
>   Locate authdaemon socket and communicate with authdaemon
>   Allow authdaemon to access selinux fs to check SELinux state
>   Grant setuid/setgid to courier_pop_t
>   Execute courier helper script after authentication
>   Courier IMAP needs to manage the users' maildir
> 
>  courier.fc |  2 ++
>  courier.te | 12 ++++++++++--
>  2 files changed, 12 insertions(+), 2 deletions(-)
> 
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141231/b7d069a8/attachment-0001.bin 

[refpolicy] [PATCH v2 1/6] Courier TCPd startup creates imapd.pid.lock and imapd.lock

[Dominick Grift]

On Wed, Dec 31, 2014 at 05:09:53PM +0100, Sven Vermeulen wrote:
> Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  courier.fc | 2 ++
>  courier.te | 2 ++
>  2 files changed, 4 insertions(+)
> 
> diff --git a/courier.fc b/courier.fc
> index 2f017a0..abdc37e 100644
> --- a/courier.fc
> +++ b/courier.fc
> @@ -27,6 +27,8 @@
>  /var/lib/courier-imap(/.*)?	gen_context(system_u:object_r:courier_var_lib_t,s0)
>  
>  /var/run/courier(/.*)?	gen_context(system_u:object_r:courier_var_run_t,s0)
> +/var/run/imapd\.pid	--	gen_context(system_u:object_r:courier_var_run_t,s0)

This conflicts with uwimap pid file context specification

Not sure how to deal with this, but i would prefer:

Did you build with: --with-piddir=dir - use dir/imapd.pid to store couriertcpd's process ID.

Probably better to set --with-piddir=/var/run/courier

That will make this patch redundant

> +/var/run/imapd\.pid\.lock	--	gen_context(system_u:object_r:courier_var_run_t,s0)
>  
>  /var/spool/authdaemon(/.*)?	gen_context(system_u:object_r:courier_spool_t,s0)
>  /var/spool/courier(/.*)?	gen_context(system_u:object_r:courier_spool_t,s0)
> diff --git a/courier.te b/courier.te
> index ae3bc70..112a60b 100644
> --- a/courier.te
> +++ b/courier.te
> @@ -172,6 +172,8 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
>  dev_read_rand(courier_tcpd_t)
>  dev_read_urand(courier_tcpd_t)
>  
> +files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
> +
>  miscfiles_read_localization(courier_tcpd_t)
>  
>  ########################################
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150101/26b55a01/attachment.bin 

[refpolicy] [PATCH v2 0/6] Courier IMAPd related policy changes

[Dominick Grift]

On Wed, Dec 31, 2014 at 05:09:52PM +0100, Sven Vermeulen wrote:
> Small updates to courier policy in order to have the Courier IMAPd work with the policy.

Thanks. This set was merged except for patch 1/6 because it is redundant when you build courier with "with-piddir=/var/run/courier/"

If you don't then /var/run/imapd.pid conflicts uwimaps' /var/run/imapd.pid

> 
> Changes since v1:
>   - add file contexts for imapd.pid and imapd.pid.lock
>   - use courier_var_lib_t in stream_connect pattern
>   - drop user content access for courier now that there is mail_home_rw_t access
> 
> Sven Vermeulen (6):
>   Courier TCPd startup creates imapd.pid.lock and imapd.lock
>   Locate authdaemon socket and communicate with authdaemon
>   Allow authdaemon to access selinux fs to check SELinux state
>   Grant setuid/setgid to courier_pop_t
>   Execute courier helper script after authentication
>   Courier IMAP needs to manage the users' maildir
> 
>  courier.fc |  2 ++
>  courier.te | 12 ++++++++++--
>  2 files changed, 12 insertions(+), 2 deletions(-)
> 
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150101/e6f7c6e6/attachment.bin